Archive

Archive for February, 2009

Do you use Adobe Reader?

Exploited PDFs has been prevalent attack vector for awhile now but only in Windows but never been in Mac.

I had discussed this here, the prevalence, util.printf(), Virut generated PDFs and now the Zero day.  This zero day vulnerability exist in Adobe Reader 9.0 and earlier and Acrobat 9.0 and earlier version. Unfortunately, this flaw remains unpatched as of the moment – as announce in advisory “Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009.”

Here’s few recommendation to avoid this attack:

Mac Users:

1) Go to Application folder and look for Adobe Reader  and execute it.

2) Once open, click “Adobe Reader” and “Preferences” – or use shortcut key by pressing command and comma (,)

3) In Categories, click “Internet” and look on Web Browser options and uncheck “Display PDF in browser…”

4) Again in Categories, click “JavaScript” and look on JavaScript options and uncheck “Enable Acrobat JavaScript”

5) Do not open or access PDF documents from an untrusted source, specifically if you are not expecting it.

6) Make sure your security scanner is using the latest signature update, and ensure that features like real time scanning are turned on.

For Windows users:

1) Prevent your default browser from automatically opening PDF documents. To do this, open your Adobe Reader by clicking on Start > All Programs > Adobe Reader <x> (where ‘<x>’ is the version). Once open, click Edit > Preferences, and uncheck Display PDF in Browser.

2) Disable JavaScript in Adobe Reader and Acrobat. Click Edit > Preferences and uncheck Enable Acrobat JavaScript.

3) Do not open or access PDF documents from an untrusted source, specifically if you are not expecting it.

4) Make sure your security scanner is using the latest signature update, and ensure that features like real time scanning are turned on.

Take note that this vulnerability does not require Javascript to exploit. However, for attackers crafting PDF to get into users’ machine requires script to sucessfully execute its payload (base on exploited PDFs, I’ve seen),  so it is best to disable it!

Please feel free to drop by and comment if this has been helpful to you! Also, if you have found suspicious websites or file, don’t hesitate to send it through @ meths101 (at) optusnet (dot) com (dot) au. Definitely, this will help other users!

disable Autorun registry key

With significant rise of malwares employing autorun.inf to execute and spread, Microsoft pushed a solution by disabling autorun registry key through Windows Update and Automatic update.  Please refer all the details from this url:  http://support.microsoft.com/kb/967715

Here’s an instruction to do it manually.

How to selectively disable specific Autorun features

To selectively disable specific Autorun features, you must modify the NoDriveTypeAutoRun value under the following registry key subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
Autorun is also known as AutoPlay. The following table shows the settings for the NoDriveTypeAutoRun registry value.

Value Meaning
0x1 Disables AutoPlay on drives of unknown type
0x4 Disables AutoPlay on removable drives
0x8 Disables AutoPlay on fixed drives
0x10 Disables AutoPlay on network drives
0x20 Disables AutoPlay on CD-ROM drives
0x40 Disables AutoPlay on RAM disks
0x80 Disables AutoPlay on drives of unknown type
0xFF Disables AutoPlay on all kinds of drives

Personally, I prefer 0xFF value which disables autoplay on all kinds of drives. The draw back here is when you are installing from CD ‘coz you have to manually execute the setup instead of automatically running it. The good thing, you’ll be safe from autorun malwares!

Visualizing OS X Threats

track_01

A small visual map of OS X threat distribution. They are often found in websites offering Free Software, Cracks and Keygens. Also, victimizing Mac users looking for drivers and books… this may equate an impression that “Free Mac Stuff” = “Mac Threats” – yes, attackers mostly rides on popular trend or search.

This is just part of the big map, but basically in my investigation these threats are massively distributed in different servers and geographic locations. Obviously, it provides us understanding that these threats are mostly driven by pay-per-intall schemes.

Victorian bushfire appeal 2009

The terrible news of Victorian bushfire is indeed devastating specifically to those affected.  I still remember that week the temperature soared to 40 degrees Celsius, it was absolutely hot!

As described, it was like a roaring storm and soars like a tidal wave and rolls like a huge ball of fire. It was unimaginable!

Overall, I’m doing great this incident is 50-60Km away from Melbourne CBD (central business district) area where I live.  Although, we experience thick smoke and ashes due to wind.

This is not related to any Mac Threats …. But, I am encouraging you to please take part in building the lives of those affected – who lost families, pets and properties.

Please send your donation through Australian Red Cross @ http://www.redcross.org.au.  I did it online as well, just click secure online donation and follow through instructions.

redcross1

Feel free to drop by and share your thoughts!  Afterall, it is blessed to give than to receive.

World Map Infection Report

This is the global picture of “MacAccess” infection as reported by users through this blog.  This is just small data but looking on mathematical perspective considering percentage of Mac users per continent, I believe the infection is not isolated but definitely in-the-wild. Perhaps, the author could show more infection report – Obviously, it’s giving them good numbers to the extent that these threats remain online and evolving.

map_creator1

Wondering why attackers are interested in Mac? Here’s an interesting trend as published by NetApplications Market Share.

top-operating-system