Attackers Infect Ads With Old Adobe Vulnerability 70
thethibs writes "eWeek is reporting that just as everyone is buzzing about the latest Adobe vulnerability, someone poisoned ads hosted by Ziff-Davis with an older Adobe exploit (affecting versions 8.12 and earlier, and long since patched). Z-D fixed the problem less than 24 hours after its first appearance. The interesting bit of this is that a bunch of people probably got hit with the old Trojan when they browsed to a story about the new one."
Adobe what? (Score:5, Informative)
While it's fairly evident that they're talking about Adobe Reader, nowhere in the summary does it state which Adobe product this affects. Adobe is a company, not a product, even if it's not called Adobe Acrobat anymore!
Re:another good reason...... (Score:3, Informative)
Re:another good reason...... (Score:5, Informative)
Blocking scripts isn't guaranteed to protect you from this kind of attack, since the article specifically mentioned that the attack used iframes. Loading a PDF into an iframe can be done with no scripting; this will either trigger a file download or will invoke the Adobe Reader plug-in (or whatever other plug-in your browser is configured to use to display PDF files).
However, if the iframe is inserted into the DOM by a script (not uncommon with advertisements these days), then yeah, blocking scripts would prevent it.
Of course, I imagine the attempt to install a rogue application would trigger a UAC prompt on VIsta, protecting anyone on that platform who isn't a moron.
Re:another good reason...... (Score:5, Informative)
Blocking scripts isn't guaranteed to protect you from this kind of attack, since the article specifically mentioned that the attack used iframes.
Let me remind you that NoScript (TM) not only protects you from scripts. It also protects you from clickjacking (iframes or not), in-iframe browsing, embedded objects and other nuisances.
With noscript installed, the only way I could be hit with malicious code would be through an html or css buffer overflow vulnerability - and that's why I keep my distro up to date.
Re:another good reason...... (Score:4, Informative)
Noscript blocks iframes, but not default enabled. You have to drill through preferences, which I do anyway, but some might not.
Perhaps it's time to default-enable security enhancing features and if it BREAKS something, turn them off selectively, instead of the converse.
Or is it more work to click through a menu than to reformat and reinstall because you got hosed?
Gotta case, right here (Score:1, Informative)
Yup, this happened to me. Browsed to one of their pages using Firefox. Immediately, without any user interaction, a file called doc.pdf was downloaded from feelyouinside.com. Since I was using Firefox 10 with evince, everything stopped there. --AA
Re:Interesting (Score:2, Informative)
Any advertiser is going to want a click to end up as a vist to their site, one way or another - and once there it's out of Ziff-Davis' hands.
I got hit by a very similar one (Score:3, Informative)
I got hit before the weekend by a very similar one, but not exactly the same.
Browsing with fully patched FF & WinXP. But yeah, I have the little puppy updater from Adobe disabled (because it tries to shit everywhere). Why can't people make an updater that is just an updater and doesn't try to sneak in other shit?
Anyways, I was looking for some guitar cases, and a pop-under showed up (apparently this is another problem that can not be fixed a 100%...), and then a crash message saying "~.exe" had crashed. You try to google ~.exe, and see what you find...
Okay, so I realize this is not good and bring up task manager and see a task named "4.pr". Fuck, this is really not good.
So I unplug, go to another machine and figure some stuff out. There's two files in the c: root directory: p3.bat and 4.pr. Looks like also some rogue version of wdmaud.sys.
Looks like the crash caused the trojan to not install successfully, but still, this is the first time in my > 20 years messing with computers that I got p0wned.
So I'm mad as hell, and sure, I'm stupid. I know FF loads certain plugins automagically (which is something I really don't like) but I didn't really think of it loading AR... Normally I download PDFs first. As a matter of fact, I DON'T WANT to use AR as a plugin.
In any case, I've decided a couple of things:
- I will never install Acrobat Reader again. I will advise anyone that listens to do the same. Either find an alternative, or just forget about viewing the content. It can't be that important.
- For other plugins, especially those that are hard to do without like Flash, I will search for Open Source alternatives.
- VMs. I never liked VMs, but it seems like there's no way around it. I'm thinking three VMs: one for crazy browsing, one for the normal stuff (eBay/slashdot) and one for sensitive stuff (banks/paypal). The big advantage is that you can snapshot them, so that if one gets hit, you aren't immediately dead in the water. Instead you fire up the old snapshot.
- Again review what can be done to have a reasonable browsing experience while having plugins disabled by default.
- All (remotely) sensitive data goes on a truecrypt drive that automatically dismounts. I've been using it for really sensitive data and it works great.
But the other thing I have to say though: PLEASE Firefox developers, have a mode that does NOT load any plugins, but displays their content as an empty square first. Then if you want to see it, I can click on it or something. Maybe noscript is the thing; last time I looked it was too tedious to use. Maybe now I'll feel differently.
btw. Just for shits an grins, you should look at what plugins are installed for Firefox: Tools->Add-ons->Plugins tab. I was surprised to say the least.
Re:another good reason...... (Score:4, Informative)
Heh. If they're anything like *me*, they won't be running *any* Adobe software at all. :D
Re:So what exactly happened? (Score:2, Informative)
Comment removed (Score:3, Informative)