* You are viewing the archive for February, 2010

Quickly Triage Adobe PDF Documents for Malware

If you get frequently getting asked to analyze suspicious Adobe PDF documents for potential malicious content or malware, this triage guide might be of help. Adobe PDF documents are complex things to analyze sometimes, but it is possible to get a quick answer whether or not a particular PDF merits deeper examination.You should always conduct this type of examination on an isolated machine off of any production network. Air-gapped VMware and Deep Freeze based examination systems work fine.The steps below DO NOT definitely determine that a particular PDF has malware or is malicious – … Continue Reading

Share

Adobe Reader GDI Leak not Fixed in Latest Release of 8.x or 9.x

The Adobe Reader GDI object leak described that I described at http://sharpesecurity.blogspot.com/2010/02/gdi-object-leak-in-adobe-reader-92-and.html isn’t fixed in the Adobe Reader 9.3.1 release that Adobe published on 16 Feb 2010. And it ALSO affects the newly released Adobe Reader 8.2.1. So if you can’t live with this bug you have no way to patch the latest Adobe Reader vulnerabilites since versions 7.x and below are formally off support.There is still no ETA from Adobe for a fix.email: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Share

Out of band(?) Adobe Reader Security Update Released

Adobe has released Adobe Reader versions 9.3.1 and 8.2.1 to address new security vulnerabilities.Whatever happened to Adobe’s plan to have their Patch Tuesday be on Microsoft’s Patch Tuesday but just once per quarter? Adobe Reader 9.3.0 and 8.2.0 were released on 12 Jan 2010 which was right on time, but what about 16 Feb 2010? That isn’t one quarter away from 12 Jan and it wasn’t on Microsoft’s Patch Tuesday.At any rate, as described here this was to be expected for the next year or two.Reference:Adobe’s security bulletin is … Continue Reading

Share

Vulnerability in F5 Products – Review Both Internal and External Units

A denial of service (DoS) vulnerability has been identified in some F5 products. The vulnerability is within the TCP/IP stack of the affected versions. If exploited, it could cause devices to become unresponsive creating a denial of service condition. F5 recommends restricting access to the affected interfaces as mitigation for this issue.References:http://secunia.com/advisories/38476/https://support.f5.com/kb/en-us/solutions/public/10000/500/sol10509.htmlemail: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Share

Upgrading to Adobe Flash Player 10.0.45.2

Time to patch all of your Adobe Flash player instances again. Please remember to remove all older versions of the Flash player as part of your upgrade to make sure systems vulnerability scans come back clean and don’t complain about old Flash version binaries laying around. If you need help automating this process, please contact sales @ sharpesecurity.com.Adobe’s bulletin follows:APSB10-06 – Security update available for Flash PlayerOriginally posted: February 11, 2010Summary:A critical vulnerability has been identified in Adobe Flash Player version 10.0.42.34 and earlier. This vulnerability(CVE-2010-0186) could … Continue Reading

Share

Easily Detecting VMware Instances Vulnerable to CVE-2009-3733

A tool called gueststealer was released at Shmoocon 2010. Gueststealer is a Perl script that can be used to grab arbitrary files from VMware instances vulnerable to CVE-2009-3733. VMware instances vulnerable to this can be exploited to pull things like a .vmem file or even the VMware container file with the entire file system of the virtualized machine. Once that is done sensitive data could then be extracted.The author of this article has created a nmap script that can be used to search for VMware instances vulnerable to this directory traversal problem. … Continue Reading

Share

Budget-wise Espionage

I recently learned about a law enforcement investigative technique used to listen to voice mail messages on other peoples’ mobile phones using caller ID spoofing. This technique is a little old, but not widely known. What might be an effective investigative technique to some is a potential data leakage or corporate espionage issue to others. As a proof of concept, I set up an account with a caller ID spoofing company and was able to access voice mail messages for a variety of personal and corporate Blackberry, iPhone, and cell phone devices. The problem isn’t with … Continue Reading

Share

GDI Object Leak in Adobe Reader 9.2 and 9.3

There is a GDI object leak in Adobe Reader versions 9.2 and 9.3 (the latest). The leak happens when any PDF is opened in a new IE window, and persists even if the new IE window gets closed. Initially you leak around 4 GDI objects per iteration, but that snowballs a few dozen iterations in until you hit the Windows default per process GDI object limit of 10,000. At that point, PDFs won’t render any more, and Windows Explorer might fail due to resource exhaustion. The problem happens after opening and closing around 120-150 PDFs in new IE windows. If … Continue Reading

Share

Hello there!

Hello there! This is the blog associated with sharpesecurity.com and blueteamsecurity.com. This will be a place that I hope you find of value for information related to the entire universe of network and computer security including: incident response, forensics, malware analysis and reverse engineering, server and client RAM dump analysis, vulnerability management and patching, security assessments, policy and standards matters, industry trends, and so forth. Most topics will focus on the defensive side of computer and network security, but we reserve the right to deviate from that theme from time to time.

email: david @ sharpesecurity.com … Continue Reading

Share