Recently we came into possession of an Adobe Acrobat PDF file that upon opening drops and executes a malicious binary. It was quite clear that this PDF was exploiting some vulnerability in order to drop its payload. And, during the analysis it soon became apparent that this vulnerability was not one we had seen in the wild before. What was even more surprising was that this vulnerability affects Adobe Flash—not Adobe Reader as we initially suspected.
An issue in Adobe Flash is more serious. Most vulnerabilities are confined to one technology; for example, a vulnerability may affect a particular browser or a particular operating system, but it is rare for a vulnerability to span multiple platforms and products. This is not the case with Flash. Flash exists in all popular browsers and is also available in PDF documents. It is also largely operating system independent; therefore, the threat posed by this issue is not to be taken lightly. Flash has become an integral part...
Yesterday, our engineers in Japan noticed the arrival of some unusual submissions from a small number of our customers. All of these submissions contained suspicious Microsoft Office Excel 2007 spreadsheets. Further analysis showed that these files were exploiting a vulnerability in Excel that allowed them to drop and execute a binary onto the file system.
We see this kind of behavior all the time, but as the analysis of the vulnerability progressed it became clear that this vulnerability is one that we had not seen before. It turns out that this vulnerability exists in the old Excel binary .xls format and not the new .xlsx format. Opening the malicious spreadsheet triggers the vulnerability. This causes the shellcode to execute and then drops two files on the system—the malicious binary mentioned earlier and another valid Excel document. The shellcode then executes the dropped file and opens the valid Excel document to mask the fact that Excel has just crashed. This...
Symantec Security Response has received several PDF files that actively exploit a vulnerability in Adobe Reader. We are continuing to remain in contact with Adobe on this vulnerability in order to ensure the security of our mutual customers.
This exploit is currently detected heuristically as Bloodhound.PDF.6 by our products. We have noticed an increase in submissions of similar PDFs using this exploit. So far, these attacks appear to be targeted and not widespread. Symantec is continuing to monitor the vulnerability’s use in the wild.
While examining the JavaScript code used for “heap-spraying” in these PDFs, we can see the same comments that show that these separate exploit attempts come from the same source! It seems likely that the people behind this threat are using targeted attacks against high-...
Wireless Equivalency Protocol (WEP) has been one of the hottesttopics in Irish news over the last few days. One of the leadingproviders of DSL in Ireland has supplied users with wireless routersprotected using WEP. What made this newsworthy is that it has emergedthat the WEP keys used to encrypt the network traffic and to controlaccess to a private network were generated using the (Service SetIdentifier) SSID. The algorithm used to generate the encryption keyshas been analyzed and a tool is freely available which allows anyonewithin range of the router to trespass on a wireless network that hasbeen secured using the default settings.
The DSL provider and media reports are advising customers that ifthey change their WEP keys, they will be safe from any trespassers ormalicious attackers trying to get onto their network. While it is truechanging the default WEP settings will mitigate this particular attackit will not make your wireless network secure.
