Embedded PDF executable hack

[tweetmeme source=”franscomputerservices” only_single=false]Embedded PDF executable hack goes live in Zeus malware attacks (Ryan Naraine at ZDNet)

Yes, there has been a lot of coverage on Adobe Reader vulnerabilities, and this is no exception, and with good reason since this is being actively exploited.

This one is the same /launch vulnerability built into Adobe Reader that was being exploited to run malicious code. This one also comes via email, and the PDF has an embedded attachment within the document. The file is executable and if you run it, it will install the Zeus bot on your computer.

It’s no longer good enough to disable Javascripting alone. There is more needed to thwart this attack.

From the article:

Here are the instructions for mitigating a potential attack:

* Users can also turn off this functionality in the Adobe Reader and Adobe Acrobat Preferences by selecting > Edit > Preferences > Categories > Trust Manager > PDF File Attachments and clearing (unchecking) the box “Allow opening of non-PDF file attachments with external applications”

It is important to download PDF files from email rather than opening them directly from email, as with any attachment, so you can virus scan the file prior to opening it.

While you are in the Preferences, you might want to make sure Javascripting is turned off. And you might want to disable viewing PDF files in browser windows. There are times when that may be inconvenient, but it will keep you safer at least for now.

One way to keep PDF files from opening in browsers if you are using Firefox is to install the PDF Download Extension which allows you to download rather than open a PDF file in the browser. It also gives you a chance to determine if this is really what you want to do.

Microsoft offers ‘fix-it’ workaround for Internet Explorer Zero Day Exploit

[tweetmeme source=”franscomputerservices” only_single=false]Ryan Naraine at his ZDNet blog has an article about Microsoft’s ‘Fix-It’ workaround for the Zero Day Internet Explorer Exploit.

Microsoft did not fix this with the ‘Patch Tuesday’ updates despite the fact that it was being actively exploited! Thankfully, they have now provided a workaround that I highly recommend folks take advantage of, especially if you regularly use Internet Explorer, or even use Windows but use Firefox or another browsers as your default browser.

As Ryan Naraine notes,

The workaround [e]ffectively disables peer factory in the iepeers.dll binary in affected versions of Internet Explorer.

The workaround, available here, comes on the heels of the public release of exploit code into the freely available Metasploit pen-testing framework.

The link goes to the Microsoft website for KB981374.

Microsoft, in that KB article, urges users to upgrade to Internet Explorer 8 because it is NOT vulnerable to this attack.

Of course those still running Windows 2000 will not be able to make use of that suggestion as they are stuck using IE6 and no recourse to fix this issue since it is ‘out of cycle’ now.

Windows 2000 users (or users of — God forbid! — earlier versions of Windows) should have upgraded, or should be actively taking steps to upgrade or replace their outdated operating systems ASAP.

The KB article has two sets of Fix-It buttons:

One to Disable/Enable peer factory in iepeers.dll

This disables peer factory in iepeers.dll” automatically to supported versions of Windows XP and Windows Server 2003 and the other to disable it.

The other set is to enable/disable DEP (Data Execution Prevention) automatically.

According to a Microsoft TechNet article, Microsoft is also considering an out-of-band emergency patch to Internet Explorer to correct the flaw.