Current events: Adobe Reader Vulnerability

By sojc701 at 7:57 pm on February 20, 2009 | 7 Comments

Hackers are targeting a zero-day vulnerability affecting Adobe Reader and Acrobat with malicious PDF files. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. Hackers have been spreading malicious PDF files containing the Pidief Trojan. If a person opens the file, the Trojan attempts to exploit an unpatched processing error in Adobe Acrobat Reader 8 and 9, which results in a buffer overflow.

The bug is due to an error in the parsing of certain structures in PDF files. If exploited successfully, the bug could allow a hacker to take complete control of a vulnerable system. “In parsing a specially-crafted embedded object, a bug in the reader allowed the attacker to overwrite memory at an arbitrary location, The attacks, found in the field, use the infamous heap spray method via JavaScript to achieve control of code execution.” blogged McAfee researcher Geok Meng Ong.

In the meantime, security researchers at the Shadowserver Foundation recommend users consider disabling JavaScript. Symantec also recommended Adobe users keep their antivirus up-to-date. “While we continue to investigate this issue, customers are advised to follow best practices and only open email attachments from people they trust,” blogged Symantec researcher Patrick Fitzgerald. “Enabling DEP (Data Execution Prevention) for Adobe Reader will also help prevent this type of attack.”

Adobe acknowledged the zero-day in an advisory to customers calling it critical. It confirmed the flaw in Adobe Reader 9 and Acrobat 9 as well as Adobe Reader and Acrobat 8.1.3 and earlier versions. Adobe officials say a fix for the issue will be available for Adobe Reader and Adobe Acrobat in the coming weeks.

Filed under: Current Events7 Comments »

XSS in the Wild (Updated)

By erielt at 10:51 am on | 8 Comments

When I recently tried to look up some information about the song L’America by The Doors, I stumbled upon the site songfacts.com (http://www.songfacts.com/detail.php?id=278). At the site, I was immediately greeted by a popup box cheerfully proclaiming “HAI2U”. After having dealt with this extensively in lab 2, I immediately recognized this as an XSS vulnerability that someone had taken advantage of. Looking into the source code, I saw that the javascript alert was the only thing that had been done–luckily not too malicious. Unfortunately, the code was also in a permanent comment on the site so that any visitor to the site is subjected to the attack rather than having to special link. The attack was done with a simple script tag, so obviously little or no filtering is being done. I sent an email off to the site telling them about their vulnerability, what a malicious user could use it for, and how to fix it with a php filter and a link to suitable filter. Although part of me wanted to play around with the security hole a little more (perhaps a real life version of lab 2?), I thought it would be better to try to have them fix the site. I like songfacts because there are some interesting things, so I rather they fix it then have someone else break the site with redirects, cookie stealing, or any other similiar (or even more malicious) things. I just wanted to let everyone know that what we did in lab 2 is most definitely applicable to real life and XSS vulnerabilities are still out there on many different sites.

One other thing I wanted to ask others about is how would you deal with this situation of finding a vulnerability in a website? Would you anonymously report it to the site or offer to help? Or would you try to look into the security hole a little more to see what was there? Perhaps a few people would even want to do some semi malicious things to see what was possible (although I’m sure no one will post that). Also, has anyone else encountered XSS attacks in the wild?

As a side note, please don’t exploit this because the vulnerability is still there on that site. Remember, you signed legally binding and restricting ethics forms!

Update:

After I emailed the website, they took out the offending post and also asked me for more information on fixing this problem. I wrote some more information for them and tried to help clear up this security vulnerability as well as others that may arise from the same issue of user input sanitation. The admin was very glad to have help and offered to send me a t-shirt in return for my help. It looks like being good and helpful paid off.

On another note, I have found XSS vulnerabilities to be way too common on the web. As dangerous as these can be, it seems like site administrators are not well informed about these problems. While just going about normal business on the web, I also found an XSS vulnerability in the Windermere real estate pages. I have emailed that webmaster as well so hopefully they are as receptive to the problems as the first site owner was.

Filed under: Miscellaneous8 Comments »

Security Review: Self-scanning Checkout

By devynp at 7:14 am on | 3 Comments

Self-scanning checkout, also called “self-checkout” is an automated process that enables shoppers to scan, bag, and pay for their purchases without human assistance. A typical self-scanning checkout lane looks like a traditional checkout lane except that the shopper interacts with a computer’s user interface (UI) instead of with a store employee. Instructions are given to guide shoppers to complete the checkout process. Typically, the customer scan each item or manually enter its identification code and bag it. The weight observed in the bagging area is verified against previously stored information to ensure that the correct item is bagged, allowing the customer to proceed only if the observed and expected weights match. After scanning and bagging, customer may choose method of payment: debit card, credit card, or cash. There is normally an attendant watching over several self checkout machines, to provide assistance, prevent theft through exploitation of the machines’ weaknesses, and to enforce payment. Attendant assistance is also required for the purchase of age-restricted items.

(Read on …)

Filed under: Security Reviews3 Comments »