注册
登录
| 关键词: 文件 Adobe 史蒂文斯 Windows 恶意 Reader 漏洞 Acrobat vulnerability PDF |
尚未-补丁的漏洞影响到最新版本的Adobe Reader和Acrobat变得更加危险。一名安全顾问已表明如何利用这个漏洞,而无需实际打开一个恶意的PDF文件。 这是两个星期前,因为成员的网络犯罪的战队“Shadowserver基金会”警告在Adobe Reader和Acrobat的Oday严重安全漏洞 ,这利用的是通过恶意的PDF文件。 Adobe公司承认该漏洞的咨询,但只计划更新3月11日,在一个相当长的一段时间为Oday漏洞,安全专家感到困惑。事情变得更加严重的脆弱性时,研究人员从情报公司Secunia后宣布,他们已经制定了一个并不依赖于JavaScript的证明利用它。 这将造成更重大的问题,因为最初,问题的可行建议是禁用Adobe Reader和Acrobat的JavaScript功能 ,因为利用在外部环境中发现需要它。然而,IT安全顾问史蒂文斯在对照欧洲的时,最近表现出比Secunia的更为可怕漏洞。 据史蒂文斯先生,“有时候,一块可以执行恶意代码,甚至可以执行文件。由于是这种情况下,/ JBIG2Decode PDF文件中的漏洞。 ”为了证明这一观点,研究人员利用了两种现有的漏洞和一个自己自定义的。 他解释说,这种现象是可能因为Windows外壳扩展的Adobe Reader和Acrobat安装。就是所谓的“处理外壳扩展” ,负责传送Windows资源管理器的额外处理信息栏时, PDF格式的文件中列出的目录。为这个外壳扩展打开大门,存在三种不同的攻击情况。 第一个涉及点击文件以选中它在Windows资源管理器(单按一下) 。这一行动将导致实际阅读,收集额外要显示的信息。 第二种类型的攻击时,将出现“缩略图视图”选项在Windows资源管理器。为了生成一个缩略图,第一页的PDF文件,必须读,再次执行任何恶意代码包含。 第三,最有趣的情况下采用了自定义PDF文件史蒂文斯先生创建。该文件存储恶意Stream对象中的数据而不是网页。信息存储在文件中读取的数据是通过Windows资源管理器外壳扩展,以便产生鼠标悬停提示。因此,通过将鼠标指针悬停在一个恶意的PDF文件,该缺陷利用代码将自动执行。 还有待观察,如果这一最新发展将迫使Adobe公司发布补丁之前排定3月11日。不管这一事实,每个人都应该“必须非常小心当您处理恶意文件”的安全顾问警告。 "[...]改变扩展的恶意软件名( trojan.exe成为trojan.exe.virus )和在一个单独的病毒实验环境处理他们到实验环境以外, [...]加密的恶意软件, “他建议。 原文参考: The yet-unpatched critical vulnerability affecting up-to-date versions of Adobe Reader and Acrobat has just become more dangerous. A security consultant has demonstrated how to exploit the bug without needing to actually open a malformed PDF file. It's been a little over two weeks since members of the cyber-crime fighting outfit "The Shadowserver Foundation" warned about a 0-day serious vulnerability in Adobe Reader and Acrobat, which was being exploited in the wild through maliciously-crafted PDF files. Adobe acknowledged the vulnerability in an advisory, but only scheduled a patch for March 11, a rather long period of time for a 0-day flaw that baffled security experts. Things got even more serious when researchers from vulnerability intelligence company Secunia later announced that they had developed a working proof-of-concept exploit for it that did not rely on JavaScript. This posed significant problems, since an initially-suggested workaround for the issue involved disabling JavaScript in Adobe Reader and Acrobat, because the exploits detected in the wild required it. However, what Didier Stevens, IT security consultant at Contraste Europe, has just recently demonstrated is far more scarier than Secunia's exploit. According to Mr. Stevens, "Sometimes, a piece of malware can execute without even opening the file. As this is the case with the /JBIG2Decode vulnerability in PDF documents." In order to demonstrate this concept, the researcher has made use of two already available exploits and a custom one that he created himself. As he explains, this behavior is possible due to the Windows Shell Extension that Adobe Reader and Acrobat install. This is called "Column Handler Shell Extension," and is responsible with feeding Windows Explorer with additional columns of information when listing PDF files in a directory. The existence of this shell extension opens the door to three distinct attack scenarios. The first one involves clicking on the file to select it in Windows Explorer (single click). This action will cause the extension to actually read it in order to gather the extra information to display. The second type of attack occurs if the "Thumbnail view" option is selected in Windows Explorer. In order to generate a thumbnail, the first page of the PDF document has to be read, again executing any malicious code it contains. The third and most intriguing scenario employs the custom PDF file that Mr. Stevens has created. This file stores the malicious stream object in the metadata instead of its pages. The information stored in the file metadata is read by Windows Explorer through the shell extension in order to generate mouse-over tooltips. Therefore, by hovering the mouse pointer over a malformed PDF file, the exploit code will be automatically executed. It remains to be seen if this latest development will compel Adobe to release an unscheduled patch before March 11. Regardless of this fact, everyone should "be very careful when you handle malicious files," the security consultant warns. "[...] Always change the extension of malware (trojan.exe becomes trojan.exe.virus) and handle them in an isolated virus lab. Outside of that lab, [...] encrypt the malware," he advises. 黑客基地译自:http://news.softpedia.com/news/No-Click-Required-to-Exploit-0-day-Adobe-Reader-Vulnerability-106186.shtml |
|
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系
[邮箱地址] 删除
|
