Posted on | July 24, 2009 | 10 comments
The ongoing zero-day attacks in which criminals are creating malicious Adobe Flash video clips and embedding them in PDFs and on legitimate Web pages underscores how Adobe has replaced Microsoft as the favorite target of criminal hackers.
This most current assault on Adobe’s ubiquitous Flash video player and Adobe Acrobat Reader serves as a microcosm of the complex balancing act Adobe is facing.
Genesis of a zero-day attack
Hark back to the summer of 2008. That’s when Adobe rolled out a feature enhancement that allows Flash videos to playback in PDF documents, an enhancement that came about at the request of Adobe’s customers, says Brad Arkin, Adobe’s director of product security and privacy.
On Dec. 31, 2008, a well-intentioned researcher posted this report on Adobe’s “Bug and Issue Management System” (BIMS) web page. The researcher described how invoking a Flash video clip playback in Flash Player, under certain parameters, caused his Web browser to crash.
In more innocent times, this would’ve been a normal beta testing scenario: user reports glitch in a cool new feature; vendor updates. But in today’s world of teeming cybercrime, one man’s glitch is another man’s exploitable zero-day flaw.
While BIMS helps Adobe keep an open dialogue with users, the web site also “gives cyber criminals a convenient place to look for vulnerabilities they can exploit,” says Purewire researcher Paul Royal. “Here you can find bugs that cause crashes, and any bug that can cause a crash can potentially also be used to execute code arbitrarily.”
Sure enough, on July 9, 2009 reports began to filter into a handful of security companies from corporate clients, says Royal. Targeted executives were being sent emails that lured them into opening PDF files. Upon opening the PDF, the executives’ Acrobat Reader program would lag briefly before displaying a blank page, like this:
Unseen, a Flash video clip hidden in the PDF would activate. Exploiting the glitch discovered by the Flash user last December, the intruder would then install a Trojan downloader giving him access to load any malicious program he wanted on the PC, says Royal.
In one case examined by Purewire, a booby-trapped email was sent to the exec from someone outside the company. The email subject line and text lured the exec into opening the attached PDF, which purportedly held important information about riots taking place in the exec’s native country, says Royal.
And in this report, Kaspersky Lab virus analyst Aleks Gostev describes another email sample that similarly delivers a PDF, purportedly with news of riots in the Chinese town of Urumqui. Opening the PDF launches a Flash video clip that results in the downloading two widely-used malicious programs — Trojan.Win32.PowerPointer and Trojan-Downloader.Win32.Agent
But that’s not all. Criminals have figured out how to convert the glitch innocently disclosed on Adobe’s BIMS web page last December into a dual-purpose malicious exploit. It turns out that the glitch — which actually lies in the “Flash interpreter” module of Adobe’s systems — can also be used to booby trap legitimate Web sites, says Royal.
That’s because the Flash interpreter module is used by both Acrobat Reader to render video clips in PDF docs, as well as by Flash Player 9 and Flash Player 10, to render video clips on Web pages. Therefore the bug in the Flash interpreter exposes both Acrobat Reader and Flash Player to being similarly exploited, says Royal.
While some criminals focused on executives, others turned their attention to the mass market of average consumers. Using SQL injection attacks, criminals have begun to hack into legit web sites to imbed pages they can crack into with poisoned Flash clips. One example of this latest form of driveby downloading discovered by security firm Finjan looks like this:
Simply clicking to the web page that holds the corrupted Flash video clip (sample shown above) results in the quick installation of a Trojan downloader, followed by other malicious programs of the attacker’s choosing.
Researchers at Finjan have found a few dozen legit, hacked Web pages set up to do this latest, greatest form of driveby downloads, says Finjan CTO Yuval Ben-Itzhak. Purewire’s Royal and Ben-Itzhak say they are worried that copy-cat crime groups will hack into as many legitimate web pages as they can to set up similar Flash booby traps, that take advantage of the latest Adobe vulnerability for which there is no patch.
“We may see a broad-scale explosion of attacks,” says Royal.
Adobe now No. 1 attack target
Adobe’s Brad Arkin told LastWatchdog the company plans to issue a security patch for the Flash interpreter vulnerability on July 31. But the backstory as to how the company arrived at that date and under what circumstances it is delivering the patch points to complex challenges Adobe must meet.
Quite simply, Adobe has replaced Microsoft as professional cybercriminals’ favorite target. Of the 1,500 targeted attacks identified by F-Secure through June, 2009, 43.17 percent were directed at Adobe Acrobat Reader vulnerabilities vs. 40.19 percent at Microsoft Word security flaws.
The most popular target target in 2008: Microsoft Word at 34.55 percent vs. Adobe Acrobat Reader at 28.6 percent.
The shift was inevitable. Microsoft has spent seven years and untold billions since Bill Gates in February 2002 slammed the brakes on featured-focused Windows software development and instituted hisÃ‚Â “trustworthy computing” mandate.
“Microsoft has been really busy clearing up its act,” says Kaspersky Labs senior research analyst Roel Schouwenberg. “The trustworthy computing initiative has led to quite a number of good things, such as writing more secure code and introducing a lot of protection mechanisms into the Windows operating system.”
So like water seeking lower ground, cyber criminals have started to look for the next best thing. Adobe Flash player is installed on 98 percent of all Internet connected Windows PC. And Adobe Acrobat reader is on at least 500 million Windows PC, according to Adobe.
“The Adobe attack surface is almost as big as the Windows ecosystem,” say Roel. “Unfortunately, Adobe is not yet up to speed when it comes to security. The programs seem quite riddled with critical, exploitable vulnerabilities.”
Taking a couple of pages from Microsoft’s playbook, Adobe announced in May that it will issue patches on a regular schedule, coinciding with Microsoft’s Patch Tuesday. But instead of a monthly cycle, Adobe will issue patches quarterly; the first was on June 9th, the next is scheduled for Sept. 8, says Arkin.
And with the latest free download of Adobe Acrobat Reader, version 9.1.0, Adobe has begun to automatically install Adobe Updater, which will alert the user every seven days about the availability of software updates.
“We have always taken security seriously,” says Rob Tarkoff, Adobe’s senior vice president and general manager, Business Productivity Business Unit. “As of late, the volume of cyber crime has been increasing, so we’ve stepped up our efforts to supply best-in-class security.”
Still, Adobe has come under widespread criticism among security researchers that it is moving too methodically. For instance, the July 31st patch Adobe just announced is already the second instance of the company being forced to issue an emergency out-of-cycle patch to solve an egregious threat to Flash and PDF users.
And Adobe Acrobat Updater may be too passive, critics say, since it only alerts users to available security updates every seven days and since it makes installation voluntary. And Flash only appears to alert users to updates every 30 days, says Patrik Runald, senior researcher at F-Secure.
“Flash only checks for updates every 30 days, so even if a patch is available there’s still a reasonably big window of opportunity for the bad guys until the patch is available and I have to honestly say I have never seen the prompt myself even after 30 days having passed so I’m not sure how well this works,” says Runald.
What’s more, when it comes to Adobe Acrobat Reader updates, ” the majority of users ignore the update prompts as it’s not necessarily really clear that it’s a very needed security update that’s downloaded,” says Runald. ” I also believe that most users ignore them because they think that Adobe Reader works well enough as it is and an update will just make it slower/bigger and might introduce new problems.”
By contrast, most antivirus vendors have taken to automatically updating protection signatures at least once a day, and sometimes hourly, to keep up with continually evolving attacks. And Microsoft makes it easy for consumers, at least, to automatically get security updates via Windows auto update.
“Adobe’s ‘check for updates’ process seems to be easily derailed by network configurations issues and if it fails the first time, it doesn’t seem to be diligent in re-checking in a timely manner,” says Paul Henry, security and forensics analyst at Lumension. “In general, it appears the quality issues that used to plague Adobe Reader generally seem to have moved to its updating process.”
In response, Adobe’s Tarkoff strongly defends the company’s approach. Tarkoff told LastWatchdog he believes that consumers and business users need to take their fair share of responsibility for keeping all aspects of security updated, given the current threat landscape.
“Every software product is a target,” Tarkoff says. “The key is, ‘Can we effectively continue to provide that balance of feature enhancements and security protections?’ And that’s what we’re focused on striking.”