Acrobat Reader Vulnerabilities - FreeBSD Security Benchmark - Phishing Season

Published: 2004-08-17
Last Updated: 2004-08-18 18:51:06 UTC
by Cory Altheide (Version: 1)
0 comment(s)
Acrobat Reader Buffer Overflows - Linux/Windows command execution

iDEFENSE has released two advisories regarding vulnerabilities in Adobe's Acrobat Reader software. The first is in the Acrobat Reader for UNIX systems, and allows arbitrary code execution via a buffer overflow in the handling of uuencoded documents.

The second is a buffer overflow in the ActiveX component of Acrobat Reader for Windows. This vulnerability poses a much greater threat, for a number of reasons. First, according to the iDEFENSE, the overflow is still present in current releases of Acrobat Reader. Secondly, the number of target systems is much greater than for the UNIX Acrobat Reader vulnerability. Finally, and most importantly, the advisory contains what is essentially an roadmap for any would-be exploit developer.

FreeBSD Security Benchmark

CIS has released a benchmark for the FreeBSD operating systems, which is, according to the site, "intended for FreeBSD versions 4.8 and later." I believe this means FreeBSD 4.8-4.10 (Production) and does *NOT* include the 5.x series, which is still currently a "new technology release."

UPDATE: Mark your calendars, true believers. I was wrong! According to CISecurity's John Banghart, the benchmark has been tested on FreeBSD 4.8 and 5.2.

Phishing Season

ISC reader Brandon Noble sent in the following:

"Quite a few people think they could NEVER get caught in one of these phishing scams. The truth is that the social engineering is very good.

Some of your readers may benefit from this little phishing test from Mail Frontier."

I took the test myself, and found it to be a fairly accurate sampling of common purely email-based phishing lures found in the wild - however, keep in mind that the quiz is the product of an anti-phishing product. Unfortunately, phishermen (phisherpersons?) are upping the ante, and using browser-specific spoofing vulnerabilities to increase the apparent authenticity* of their schemes. On that note, the prolific Liu Die Yu has discovered Yet Another Internet Explorer Spoofing Vulnerability. The gory details (and a proof of concept test) are available at the URL below.

In a discussion of anti-spoofing capabilities on the ISC mailing list, handler George Bakos pointed out the free anti-spoofing tool Spoofstick. Spoofstick is a browser extension for IE and Firefox that simply displays the current domain name. This is a simple yet elegant solution to many of the spoofing attacks currently employed by phishing sites. For more information (and to download the Spoofstick) head to the following URL.

UPDATE: Several ISC readers have noted that SpoofStick currently fails to display the correct domain for the most recent IE spoofing attack as implemented in the aforementiond Secunia proof-of-concept. I am in contact with Corestreet in an attempt to rectify this.

UPDATE: Within two hours of contacting Corestreet the ISC received the following communcation from Phil Libin, Corestreet's president:

SpoofStick for IE v. 1.02 (available from our website as of about an hour
ago) fixes exactly this bug.

Cory Altheide



*I was going to say "decrease the phishiness" instead of "increase the apparent authenticity" but I'm willing to bet that ISC's audience had pretty much had their fill of cute perversions of "phishing" by the middle of the paragraph in question.
0 comment(s)


Diary Archives