On TechRepublic: The 5 worst tech products of 2009
BNET Business Network:
BNET
TechRepublic
ZDNet

October 26th, 2007

Microsoft confirms PDF attacks, urges caution

Posted by Ryan Naraine @ 7:41 am

Categories: Botnets, Browsers, Data theft, Exploit code, Firefox, Hackers, Microsoft, Mozilla, Passwords, Patch Watch, Pen testing, Responsible disclosure, Rootkits, Spam and Phishing, Viruses and Worms, Vulnerability research, Windows Vista, Zero-day attacks

Tags: Adobe PDF, Microsoft Corp., Attack, Microsoft Windows, Operating Systems, Security, Software, Ryan Naraine

Microsoft confirms PDF attacks, urges cautionIn the wake of this week’s malware attacks using rigged PDF files, Microsoft has updated its security advisory to stress that the underlying flaw — in the Windows operating system — is still not fixed.

The advisory, first issued on October 10, points to an unpatched code execution hole in Windows XP and Windows Server 2003 (with Windows Internet Explorer 7 installed). While applications like Adobe Reader/Acrobat are currently being used as the vector for attack, Microsoft is making it clear that patches from third-party vendors aren’t a cure-all for this bug.

“[B]ecause the vulnerability mentioned in this advisory is in the Microsoft Windows ShellExecute function, these third party updates do not resolve the vulnerability - they just close an attack vector,” says Bill Sisk, a member of Redmond’s security response communications team.

[ SEE: MS Outlook flaw adds new twist to URI handling saga ]

Following the PDF-borne attacks, which use a combination of Trojan downloaders and rootkits to steal data from infected computer, Sisk said Microsoft triggered its Software Security Incident Response Plan (SSIRP), a process that handles all aspects of response to an computer/Internet attack.

As part of our SSIRP process we currently have teams worldwide who are working around the clock to develop an update of appropriate quality for broad distribution. Because ShellExecute is a core part of Windows, our development and testing teams are taking extra care to minimize application compatibility issues.

To help protect yourself during the interim we continue to recommend that you should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources and/or visiting untrusted websites. This is absolutely one of the most effective ways to help protect yourself from a variety of threats on the Internet today.

Sisk described the PDF exploit as “active” but “fairly limited” and said Microsoft is working around the clock to monitor the situation and get a patch out the door.

Microsoft’s next scheduled patch release date is Tuesday November 13, 2007 — a full 18 days away. An out-of-cycle patch could be forthcoming but this is unlikely unless the attacks intensify.

[ UPDATE: October 26, 2007 @ 12:30 PM ]  Anti-virus vendor F-Secure is warning that malicious PDFs are currently being “massively spammed.”

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 120 Talkback(s)
Oh Gawd [rolling eyes], the Market Share Myth --- again!
Obviously you've broken into Gates' stash because you and Billzebub are both smoking the same sh- er, stuff. Let's ignore the fact that MacOS X is built on BSD Unix which has been thrashed on for 35 y... (Read the rest)
Posted by: brian ansorge Posted on: 12/27/07 You are currently: a Guest | | Terms of Use
Oh no, say it isn't so  DarthRidiculous | 10/26/07
Once again...  itpro_z | 10/26/07
Once again... but so true  jasmic@... | 10/26/07
Once again... but so true - PS  jasmic@... | 10/26/07
PS  itpro_z | 10/26/07
I ask a favor  Hrothgar - PCLinuxOS User | 10/28/07
I'll take a look  itpro_z | 10/28/07
you are so right!  Snarfiorix | 10/27/07
More Zealots skipping the true topic .  Intellihence | 10/29/07
So true.  itpro_z | 10/26/07
Holes?  Chaduke | 10/26/07
Yes, and so do the hackers  DarthRidiculous | 10/26/07
ecomonies of scale  rtk | 10/26/07
3% what?  DarthRidiculous | 10/26/07
3% is 3 years ago...  jasmic@... | 10/26/07
3% is today...  itpro_z | 10/27/07
Have to Agree  thx-1138_@... | 10/27/07
Do they have oxygen on your planet?  JoeBob_z | 10/27/07
Dear Joe Bob  itpro_z | 10/28/07
@itpro_z  msalzberg | 10/28/07
For MSalzberg  itpro_z | 10/28/07
What does this have to do with the real issue at hand SHILL ?  Intellihence | 10/29/07
Hey, Leopard  itpro_z | 10/29/07
Nope , no issues here .  Intellihence | 10/29/07
Good news, oh spotted one  itpro_z | 10/29/07
Oh Gawd [rolling eyes], the Market Share Myth --- again!  brian ansorge | 12/27/07
7% Mac, 3% Linux, 100% urban legend  Resuna | 10/29/07
even if it's so  azhaddad@... | 10/26/07
Harra... so agreed  jasmic@... | 10/26/07
The only thing that your new company needs...  itpro_z | 10/27/07
MS security still better than Linux  zoroaster | 10/26/07
How about asking...  itpro_z | 10/27/07
Wow....  info@... | 10/26/07
start from scratch?  johnson12 | 10/29/07
Can I get this report as a PDF?  davidr69 | 10/26/07
PDF?  lauren.glenn@... | 10/26/07
Grand assumption...  Cardinal_Bill | 10/26/07
The "underlying flaw"?!  archetuthus | 10/26/07
Oh really  DarthRidiculous | 10/26/07
Oh Really?  Ron406 | 10/26/07
How moronic is that  DarthRidiculous | 10/26/07
Why do you have email, if...  msalzberg | 10/26/07
I open it, its my fault?  not of this world | 10/26/07
Correct me if I am wrong...  itpro_z | 10/27/07
I don't use Windows at home  DarthRidiculous | 10/27/07
I do...  itpro_z | 10/27/07
well ...  zoroaster | 10/26/07
I knew  dancac | 10/26/07
Which means...  magpie_z | 10/27/07
Props to Microsoft for taking responsibility!  Resuna | 10/26/07
Ack, let's fix that formatting...  Resuna | 10/26/07
Solution proposed but not workable  PhilippeV | 10/26/07
why legacy users?  NickV5 | 10/26/07
XP?  lauren.glenn@... | 10/26/07
suggesting you gave it to yourself ?  not of this world | 10/26/07
Yup, only a sucker since..  magpie_z | 10/27/07
running Vista  jasmic@... | 10/26/07
Yes, running Vista  itpro_z | 10/27/07
Many of the older scanner and printers work..  magpie_z | 10/27/07
Looks Like You're All Bozos on This Bus! grin  i2fun@... | 10/26/07
Grow up.  itpro_z | 10/27/07
I think I'll ...  tribeliker | 10/27/07
Well, if it makes you happy..  magpie_z | 10/27/07
I just realized why Vista is doing so well...  handydan918 | 10/29/07
Think again  itpro_z | 10/29/07
It's a plot...  Technogeez | 10/26/07
Luke, embase the Dark Side of The Force  tler | 10/26/07
If you don't like it...  magpie_z | 10/27/07
Embase?  handydan918 | 10/29/07
Serious....  chaz15 | 10/26/07
Disingenuous of M$ I agree!  tler | 10/26/07
Only Pre-Vista  magpie_z | 10/27/07
RE: Microsoft confirms PDF attacks, urges caution  naqvi100@... | 10/26/07
News Flash: Microsoft Embraces Linux and develops Microlux  tler | 10/26/07
This is old news to me .  Intellihence | 10/29/07
I can't believe you asked...  handydan918 | 10/29/07
Well when Microsoft has so.....  carlsf@... | 10/26/07
vista is safe  ericsami | 10/26/07
Yes ...  zoroaster | 10/26/07
Duh is your middle name..  magpie_z | 10/27/07
Vista hmmm  jasmic@... | 10/26/07
OK, just what is Vista nagging you about?  itpro_z | 10/27/07
Another BS statement...  magpie_z | 10/27/07
RE: Microsoft confirms PDF attacks, urges caution  tler | 10/26/07
SoundBlaser Fatal1ty X-Fi pro  not of this world | 10/26/07
Lock ups and crashes and viruses?  itpro_z | 10/27/07
Hardware support  seanferd | 10/27/07
Drivers  itpro_z | 10/28/07
And always in a state of denial...  magpie_z | 10/27/07
RE: Microsoft confirms PDF attacks, urges caution  atari8bit@... | 10/26/07
RE: Microsoft confirms PDF attacks, urges caution  Sickthing | 10/26/07
MS PDF attacks...  thaoleduc@... | 10/26/07
does this attack also affect firefox users  bicard | 10/27/07
RE: Microsoft confirms PDF attacks, urges caution  jasmic@... | 10/26/07
Target at 3%....  jasmic@... | 10/26/07
The "underlying flaw"?! Windows.. surprise?  jasmic@... | 10/26/07
No thanks.  itpro_z | 10/27/07
Re: Avoid the Noid, Upgrade TODAY for only $400+ Dolars for Ultimate Relief  i2fun@... | 10/26/07
That's funny...  itpro_z | 10/27/07
Hairy Holes?  tribeliker | 10/27/07
i agree  not of this world | 10/27/07
Once again  Ole Man | 10/27/07
What's the matter, Ole Man?  itpro_z | 10/27/07
Hey, is this you, TechExec?  magpie_z | 10/27/07
Microsoft doubles their propoganda efforts  Ole Man | 10/28/07
Either it is TechExec or...  magpie_z | 10/28/07
This must be ye ?  Intellihence | 10/29/07
Only when the Kings of BS..  magpie_z | 10/30/07
Ha ha Must have impressed you!  Ole Man | 10/30/07
Now we've gotcha!  itpro_z | 10/28/07
You must be Non-Zealot .  Intellihence | 10/29/07
Good old Leopard...  itpro_z | 10/29/07
You may be a Fox  Ole Man | 10/30/07
Just fix the damn holes!  johnson12 | 10/29/07
MS Security  jon@... | 10/29/07
?WHAT?  wjgrimm | 10/29/07
You missed my point  johnson12 | 10/29/07
Reason why NOT to embed Browser  blarman_z | 10/29/07
Excellent points  thx-1138_@... | 10/31/07
RE: Microsoft confirms PDF attacks, urges caution  acolon98@... | 10/29/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here