New zero-day exploit circumvents Adobe Reader's Protected Mode
By Justin Rubio 24 Hours Ago



Cybercrime investigation company Group-IB has discovered a zero-day Adobe Reader X and XI exploit that is immune to the program's new Protected Mode. Announced in July, Reader's sandboxing capabilities add an extra layer of defense by securing malicious code found in PDFs and restricting what kinds of actions these files can execute. As explained by IDG, the exploit is not affected by the program's Protected Mode and can be launched even if Javascript support is disabled — many Reader exploits rely on Javascript code embedded into PDF files. Firefox and Internet Explorer users are potential victims, while Chrome's added built-in security causes the code to fail. Group-IB has identified the vulnerability as being part of the "Blackhole Exploit-Kit," a tool that is utilized to deploy banking Trojans.

The exploit — which is currently being sold on the black market for $30,000 to $50,000 — has been submitted to Adobe's Product Security Incident Response Team, although the company has yet to deliver a response or issue a fix. The mere existence of the vulnerability questions the effectiveness of the app's highly-touted preventative measure — but should the exploit be verified, Adobe will likely issue a prompt emergency update to Reader.

A security researcher finds that seven exploit kits have added an attack for a previously unreported flaw in the latest version of the Java Runtime Environment.

Security experts are again calling for users to disable the Java browser plug-in and uninstall the software on their systems, following the discovery of a zero-day vulnerability in the latest version of the Java Runtime Environment.

Information about the vulnerability emerged on Dec. 10, after a security professional discovered an exploit using the security hole to compromise systems. The vulnerability, which appears to only affect JRE (Java Runtime Environment) 1.7 and not prior versions, had not previously been known but appears to be similar to other Java security issues found in August 2012, said Jaime Blasco, labs manager at security-monitoring provider AlienVault.

The vulnerability allows a piece of Java code to break out, or escape, from the protected software container, or sandbox, that is a critical part of Java's security model, said Blasco, who had verified that the exploit worked.

"The most important thing about this is that it is a sandbox escape, not a memory exploitation or something similar, so most of the mitigations are not effective," he said.

The security professional who published details about the exploit, France-based security manager Charlie Hurel, worried that remaining quiet about the issue could lead to a large number of compromises.

"Hundreds of thousands of hits daily where I found it," he wrote in the alert. "This could be ... mayhem."

Last year, an academic paper by security researchers at Symantec found that stealthy attacks using unreported vulnerabilities can remain undiscovered for 10 months. Soon after such exploits are discovered, use of the attacks skyrocket as cybercriminals add the exploits to their tool boxes.

That's exactly what happened with the latest Java vulnerability. By the end of day, security researchers confirmed that at least seven exploit kits--the underground software that allows cybercriminals to quickly create illicit campaigns to steal money—had incorporated attacks that prey on the vulnerability.

The major exploit kits that had a variant of the attack included the Blackhole, Cool TK, Nuclear Pack, and Sakura exploit kits. In addition, the Metasploit project, which develops a free penetration tool with frequent updates for the latest exploits, published its own module last night to exploit the flaw as well.
"This is just as bad as the last five (vulnerabilities in Java)," said HD Moore, chief security officer at vulnerability-management firm Rapid7 and the founder of the Metasploit project. "Within an hour, we had working code."

About 13 percent of users are currently using Java 1.7 and so are vulnerable to the latest attack. Users of older versions--including Mac OS X users—are not necessarily safe, however, as a bevy of older attacks will likely work against their systems.

Unlike last year's Flashback Trojan attack that used a flaw in Java to infect victims' systems, the latest attack is being used to spread a different form of malware: Ransom ware. The scheme typically uses malware to lock a user's machine until they pay a fee and quickly spread across Europe to North America last year.

"We are talking about huge amounts of money here," said Bogdan Botezatu, senior threat analyst for security firm BitDefender. "And as long as they can make easy money, they will keep this up."

The Department of Homeland Security says despite some fixes to Java, it continues to recommend users disable the program in their Web browsers, because it remains vulnerable to attacks that could result in identity theft and other cyber crimes.

Mac computers have stopped running programs written using the Java programming language in their browsers, as Apple blocked it because of security problems.

Apple has previously blocked, then unblocked, the latest version of Java on the most recent versions of its Mac operating system. On Thursday, Apple also started blocking an older version of the Mac system, called Snow Leopard, from running Java 6, also an older version.

The U.S. Department of Homeland Security recommends disabling Java in Web browsers because it has provided pathways for hackers to take control of computers that visit a website rigged with malicious software. Oracle Corp., which owns Java, has issued updates that fix known vulnerabilities, but the DHS expects that there are more.

Oracle had no immediate comment on Apple's action.

(Reuters) - Apple Inc computers were attacked by the same hackers who targeted Facebook Inc, but no data appeared to have been stolen, the company said on Tuesday in an unprecedented admission of a widespread cyber-security breach.

Facebook revealed on Friday that unidentified hackers traced to China had staged a sophisticated attack by infiltrating its employees' laptops, but no user information was compromised.

Apple, which is working with law enforcement to track down the hackers, told Reuters that only a small number of its employees' Macintosh computers were breached, but "there was no evidence that any data left Apple."

The iPhone and iPad maker said it would release a software tool later on Tuesday to protect customers against the malicious software used in the attacks.

Cyber-security attacks have been on the rise. In last week's State of the Union address, U.S. President Barack Obama issued an executive order seeking better protection of the country's critical infrastructure from cyber attacks.

A report tying the Chinese military to computer attacks against American interests has sent a chill through cyber-security experts, who worry that the very lifelines of the United States — its energy pipelines, its water supply, its banks — are increasingly at risk.

Virginia Beach Circuit Court Judge Steven Frucci ruled that a criminal defendant can be compelled to give up his fingerprint and unlock his cellphone in the course of a criminal investigation — because that's just like handing in a DNA sample or a physical key, which citizens can already be legally compelled to give to police.

On the other hand, police can't force a defendant to give up his passcode, because that's considered "knowledge" — not a physical object — and knowledge is protected by the Fifth Amendment. There have been cases, however, where defendants have been asked to give up their password to decrypt their computers, so there no consensus on this issue yet, as Wired's Andy Greenberg reported recently.