Attackers Infect Ads With Old Adobe Vulnerability 70
thethibs writes "eWeek is reporting that just as everyone is buzzing about the latest Adobe vulnerability, someone poisoned ads hosted by Ziff-Davis with an older Adobe exploit (affecting versions 8.12 and earlier, and long since patched). Z-D fixed the problem less than 24 hours after its first appearance. The interesting bit of this is that a bunch of people probably got hit with the old Trojan when they browsed to a story about the new one."
Adobe what? (Score:5, Informative)
While it's fairly evident that they're talking about Adobe Reader, nowhere in the summary does it state which Adobe product this affects. Adobe is a company, not a product, even if it's not called Adobe Acrobat anymore!
Re: (Score:3, Interesting)
I find that most people who just say "Adobe" mean Adobe Photoshop. Apparently this guy meant Adobe Acrobat Reader. I suspected perhaps he meant Adobe Flash Player. Oh well.
Re: (Score:2)
PDF ads... There's an interesting thought.
another good reason...... (Score:5, Interesting)
to run scripts selectively ....
Which I do, and with no script the way I have... *shrugs* the little extra hassle is worth all the benefits!
Re:another good reason...... (Score:4, Insightful)
Re:another good reason...... (Score:4, Informative)
Heh. If they're anything like *me*, they won't be running *any* Adobe software at all. :D
Re: (Score:3, Informative)
Re:another good reason...... (Score:5, Informative)
Blocking scripts isn't guaranteed to protect you from this kind of attack, since the article specifically mentioned that the attack used iframes. Loading a PDF into an iframe can be done with no scripting; this will either trigger a file download or will invoke the Adobe Reader plug-in (or whatever other plug-in your browser is configured to use to display PDF files).
However, if the iframe is inserted into the DOM by a script (not uncommon with advertisements these days), then yeah, blocking scripts would prevent it.
Of course, I imagine the attempt to install a rogue application would trigger a UAC prompt on VIsta, protecting anyone on that platform who isn't a moron.
Re:another good reason...... (Score:5, Informative)
Blocking scripts isn't guaranteed to protect you from this kind of attack, since the article specifically mentioned that the attack used iframes.
Let me remind you that NoScript (TM) not only protects you from scripts. It also protects you from clickjacking (iframes or not), in-iframe browsing, embedded objects and other nuisances.
With noscript installed, the only way I could be hit with malicious code would be through an html or css buffer overflow vulnerability - and that's why I keep my distro up to date.
Re:another good reason...... (Score:5, Insightful)
Re: (Score:2)
I think he meant no script allowed, and not actually NoScript the product though...
Re:another good reason...... (Score:4, Informative)
Noscript blocks iframes, but not default enabled. You have to drill through preferences, which I do anyway, but some might not.
Perhaps it's time to default-enable security enhancing features and if it BREAKS something, turn them off selectively, instead of the converse.
Or is it more work to click through a menu than to reformat and reinstall because you got hosed?
Re: (Score:1)
Re: (Score:3, Informative)
Re: (Score:2)
I guess you didn't bother reading Secunia yesterday.
Scripting disable is irrelevant.
So what exactly happened? (Score:5, Interesting)
So what servers were actually compromised by hackers? According to the article, Stephen Wellman, director of community and content for Ziff Davis Enterprise, says no ZD web sites were compromised and it "was not our fault." Whose fault was it? Does ZD use a third-party advertising service? If so, does anyone else use that same advertising service? If ZD runs its own ad servers, how is this not ZD's fault?
Re:So what exactly happened? (Score:5, Insightful)
I loaded eweek in Firefox, and adblock stopped ads from Doubleclick, Googlesyndication, and Atdmt.com. I'm guess it came from the last one.
These are huge advertisers (atdmt.com is Microsoft, and you probably know that Google bought DoubleClick). Was one of them hacked? If so, what does this have to do with ZD at all?
Re: (Score:2, Informative)
Re: (Score:2)
But don't you see? Your favorite sites are going to have to shut down if you use AdBlock, 'cause then you're stealing their content! You're really going to just have to take one for the team.
Re: (Score:2)
Ad servers have been distributing malware for years. The way it works is that the "big name" ad server posts content directing your browser to a "partner" who has paid them money. That "partner" could be a legitimate advertiser, or it could be a sleazy malware purveyor who will launch an exploit to install junk on your computer. (No, I'm not sure how you distinguish between "legitimate" and "sleazy" advertisers.) The "big name" ad company doesn't care, they've already been paid. What does this have to do wi
Re: (Score:1)
So what servers were actually compromised by hackers?
Adobe.
Whose fault was it?
Adobe!
Does ZD use a third-party advertising service?
8.12. Adobe, 8.12!
If so, does anyone else use that same advertising service?
Adobe.
If ZD runs its own ad servers, how is this not ZD's fault?
Ad.. adobe?
Work computers (Score:3, Funny)
Our computers at work will probably get trashed from this. They only use Adobe reader, some old unpatched version, and only IE without any adblocking. Microsoft shop don't you know.
Re: (Score:2, Insightful)
I understand the resistance to upgrade a major version (9) but if one, especially a company doesn't apply a free update to same major version, that system is not managed and should be taken off the internet.
As far as I know Adobe uses the ultra paranoid microsoft installer on Windows and it has excellent admin options like rollback and deployment.
Old computer isn't an excuse, they are being real lazy. I mean one should use advantages of the platform if they are stuck with it.
Re: (Score:2)
I've got a customer that's using software - not legacy software, mind you - that requires, get this....Acrobat Reader 4.0. Install anything newer, and it won't work.
Acrobat 4 being the antique POS that it is, it doesn't work on XP as anything other than admin.
Because they have to run in an AD domain environment, that means the receptionist at the front desk has write access to \\server\C$. Brilliant. And the company that writes this crap software doesn't see this as a problem. And because this customer
Re: (Score:2)
That is awful but it is really the original software's genius developer to blame.
I wonder how he managed to do it since Acrobat is more like Quicktime in terms of way it is developed. You know, if a program is coded without massive hacks and depends on quicktime in 4.0 ages, you can update Quicktime to 7 and expect it to keep working as usual. I actually have couple of software even working with added performance in such situation.
Documents are not applications (Score:5, Insightful)
If a "document" wants to _do_ anything, then it is not a document, and should be given the same trust as other programs. The Microsoftification of the world must stop.
Re: (Score:1, Interesting)
Actually, the early history of the evolution of the graphical web browser--after NCSA Mosaic was first released--tends to show the first ones to try to make an otherwise static HTML document have state (via cookies) and dynamic content (via LiveScript which later became JavaScript) would have been the ones who brought those features to the web in a *Netscape Navigator* release version.
So I tend to go ahead and blame them for de-facto planting the early seeds that allowed for privacy risks and web page vulne
Re:Documents are not applications (Score:4, Insightful)
Microsoft predates this with their stupid decision to have macros in Word 6.0 back in 1993. The first time that I read about that feature (that the macros could be saved in the document) I said that it would get used for making a virus. It actually took a surprisingly long time for the first virus to be released.
I imagine that there must have been some similar "feature" in spreadsheets before that.
Word macros arent really the problem. (Score:4, Insightful)
Who cares if accountants have macros that autosum three pages of figures. I just want to punch the idiot who thought that its ok to have a macro alter/save files other than the active file, or connect to outside data sources (e.g. teh intarwebz) without a big freaking' popup asking for a manual confirmation.
What probably happened is some clever punk thought it would be smart to just tie it to the VBScript engine, and let anything happen, rather than developing a special macro language for office.
Re:Documents are not applications (Score:5, Funny)
... rather than improperly blaming Microsoft
Woah, woah, woah.... just where do you think you are?
Re:Documents are not applications (Score:4, Interesting)
You mean, like when a text file starts behaving like a program? What about simple text files with '#! /bin/sh' on the first line?
Unix had it right: everything is a file. Period. Programs, data ports, IP connections, shell scripts. All files. simple, human-understandable permissions. This isn't anything to do with Microsoft, it's just the natural order of developers scratching their itch.
Re: (Score:2)
If we followed your logic, we'd never have web apps.
The company is vulnerable? (Score:3, Funny)
I see no mention in the summary of a specific product. Since I'm not going to RTFA, should I just assume that, since I don't own Adobe stock, I'm not affected?
Don't use AR. If you must use AR, turn of JS. (Score:5, Insightful)
Don't have anonymous sex with strangers in bath-houses. Or if you must have anonymous sex with strangers in bath-houses use a condom. This has been a public service message.
In other words, don't use AR. Use Evince (on Linux) or Sumatra PDF (Windows). If you must use AR, go to Edit, Preferences, JavaScript, and uncheck "Enable Acrobat JavaScript".
No, none of this has much to do with PDF's merits as a file format. Embedding JS in PDF was a mistake. The mistake won't hurt you if you take these elementary precautions.
Re: (Score:2)
Wait; back up.
How do I have sex with a PDF again?
Re: (Score:2)
Interesting (Score:1)
Re: (Score:2, Informative)
Any advertiser is going to want a click to end up as a vist to their site, one way or another - and once there it's out of Ziff-Davis' hands.
Re: (Score:2)
If dart can be compromised to serve up malicious files then chances are it can be compromised to disable this scan too.
What ads? (Score:1, Redundant)
Gotta case, right here (Score:1, Informative)
Yup, this happened to me. Browsed to one of their pages using Firefox. Immediately, without any user interaction, a file called doc.pdf was downloaded from feelyouinside.com. Since I was using Firefox 10 with evince, everything stopped there. --AA
Re: (Score:1)
I got hit by a very similar one (Score:3, Informative)
I got hit before the weekend by a very similar one, but not exactly the same.
Browsing with fully patched FF & WinXP. But yeah, I have the little puppy updater from Adobe disabled (because it tries to shit everywhere). Why can't people make an updater that is just an updater and doesn't try to sneak in other shit?
Anyways, I was looking for some guitar cases, and a pop-under showed up (apparently this is another problem that can not be fixed a 100%...), and then a crash message saying "~.exe" had crashed. You try to google ~.exe, and see what you find...
Okay, so I realize this is not good and bring up task manager and see a task named "4.pr". Fuck, this is really not good.
So I unplug, go to another machine and figure some stuff out. There's two files in the c: root directory: p3.bat and 4.pr. Looks like also some rogue version of wdmaud.sys.
Looks like the crash caused the trojan to not install successfully, but still, this is the first time in my > 20 years messing with computers that I got p0wned.
So I'm mad as hell, and sure, I'm stupid. I know FF loads certain plugins automagically (which is something I really don't like) but I didn't really think of it loading AR... Normally I download PDFs first. As a matter of fact, I DON'T WANT to use AR as a plugin.
In any case, I've decided a couple of things:
- I will never install Acrobat Reader again. I will advise anyone that listens to do the same. Either find an alternative, or just forget about viewing the content. It can't be that important.
- For other plugins, especially those that are hard to do without like Flash, I will search for Open Source alternatives.
- VMs. I never liked VMs, but it seems like there's no way around it. I'm thinking three VMs: one for crazy browsing, one for the normal stuff (eBay/slashdot) and one for sensitive stuff (banks/paypal). The big advantage is that you can snapshot them, so that if one gets hit, you aren't immediately dead in the water. Instead you fire up the old snapshot.
- Again review what can be done to have a reasonable browsing experience while having plugins disabled by default.
- All (remotely) sensitive data goes on a truecrypt drive that automatically dismounts. I've been using it for really sensitive data and it works great.
But the other thing I have to say though: PLEASE Firefox developers, have a mode that does NOT load any plugins, but displays their content as an empty square first. Then if you want to see it, I can click on it or something. Maybe noscript is the thing; last time I looked it was too tedious to use. Maybe now I'll feel differently.
btw. Just for shits an grins, you should look at what plugins are installed for Firefox: Tools->Add-ons->Plugins tab. I was surprised to say the least.
Re: (Score:1)
Re: (Score:2)
Just for shits an grins, you should look at what plugins are installed for Firefox: Tools->Add-ons->Plugins tab.
Okees.
So I look and I find:
Am I supposed to find something sinister here?
Just curious, because here's my typical FF Extension/Addons/Etc. Set that I run under Win and Mac FF 3:
Enabled Extensions: [16]
* Adblock Filterset.G Updater 0.3.1
This explains those random PDFs on my desktop (Score:3, Interesting)
It seems that I was fortunate. I never opened them since I didn't know where they came from, they went straight to the bin.