Attackers Infect Ads With Old Adobe Vulnerability

← Back to Stories (view on slashdot.org)

Attackers Infect Ads With Old Adobe Vulnerability

Posted by kdawson on Tuesday February 24, 2009 @04:09PM from the old-bugs-are-the-best dept.

thethibs writes "eWeek is reporting that just as everyone is buzzing about the latest Adobe vulnerability, someone poisoned ads hosted by Ziff-Davis with an older Adobe exploit (affecting versions 8.12 and earlier, and long since patched). Z-D fixed the problem less than 24 hours after its first appearance. The interesting bit of this is that a bunch of people probably got hit with the old Trojan when they browsed to a story about the new one."

12 of 70 comments (clear)

Min score:

Reason:

Sort:

Adobe what? by Anonymous Coward · 2009-02-24 16:12 · Score: 5, Informative

While it's fairly evident that they're talking about Adobe Reader, nowhere in the summary does it state which Adobe product this affects. Adobe is a company, not a product, even if it's not called Adobe Acrobat anymore!
another good reason...... by Nossie · 2009-02-24 16:13 · Score: 4, Interesting

to run scripts selectively ....
Which I do, and with no script the way I have... *shrugs* the little extra hassle is worth all the benefits!
1. Re:another good reason...... by Anonymous Coward · 2009-02-24 16:27 · Score: 4, Insightful
  
  Yeah, because people like you (running noscript) are so likely to be running a 2-years-old version of Reader.
2. Re:another good reason...... by Phroggy · 2009-02-24 16:39 · Score: 5, Informative
  
  Blocking scripts isn't guaranteed to protect you from this kind of attack, since the article specifically mentioned that the attack used iframes. Loading a PDF into an iframe can be done with no scripting; this will either trigger a file download or will invoke the Adobe Reader plug-in (or whatever other plug-in your browser is configured to use to display PDF files).
  However, if the iframe is inserted into the DOM by a script (not uncommon with advertisements these days), then yeah, blocking scripts would prevent it.
  Of course, I imagine the attempt to install a rogue application would trigger a UAC prompt on VIsta, protecting anyone on that platform who isn't a moron.
  
  --
  $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
  $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
3. Re:another good reason...... by Spy+der+Mann · 2009-02-24 16:46 · Score: 4, Informative
  
  Blocking scripts isn't guaranteed to protect you from this kind of attack, since the article specifically mentioned that the attack used iframes.
  Let me remind you that NoScript (TM) not only protects you from scripts. It also protects you from clickjacking (iframes or not), in-iframe browsing, embedded objects and other nuisances.
  With noscript installed, the only way I could be hit with malicious code would be through an html or css buffer overflow vulnerability - and that's why I keep my distro up to date.
4. Re:another good reason...... by Anonymous Coward · 2009-02-24 16:54 · Score: 4, Informative
  
  Noscript blocks iframes, but not default enabled. You have to drill through preferences, which I do anyway, but some might not.
  Perhaps it's time to default-enable security enhancing features and if it BREAKS something, turn them off selectively, instead of the converse.
  Or is it more work to click through a menu than to reformat and reinstall because you got hosed?
5. Re:another good reason...... by Akzo · 2009-02-24 19:09 · Score: 5, Insightful
  
  Unless the malicious code was placed on any one of the authors sites or another trusted site.
  
  --
  Sig is for Signature, so you don't have to manually sign every post.
So what exactly happened? by Phroggy · 2009-02-24 16:28 · Score: 4, Interesting

So what servers were actually compromised by hackers? According to the article, Stephen Wellman, director of community and content for Ziff Davis Enterprise, says no ZD web sites were compromised and it "was not our fault." Whose fault was it? Does ZD use a third-party advertising service? If so, does anyone else use that same advertising service? If ZD runs its own ad servers, how is this not ZD's fault?

--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
1. Re:So what exactly happened? by Phroggy · 2009-02-24 18:38 · Score: 4, Insightful
  
  I loaded eweek in Firefox, and adblock stopped ads from Doubleclick, Googlesyndication, and Atdmt.com. I'm guess it came from the last one.
  These are huge advertisers (atdmt.com is Microsoft, and you probably know that Google bought DoubleClick). Was one of them hacked? If so, what does this have to do with ZD at all?
  
  --
  $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
  $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Documents are not applications by Gothmolly · 2009-02-24 16:38 · Score: 5, Insightful

If a "document" wants to _do_ anything, then it is not a document, and should be given the same trust as other programs. The Microsoftification of the world must stop.

--
I want to delete my account but Slashdot doesn't allow it.
1. Re:Documents are not applications by artor3 · 2009-02-24 18:04 · Score: 4, Funny
  
  ... rather than improperly blaming Microsoft
  Woah, woah, woah.... just where do you think you are?
Don't use AR. If you must use AR, turn of JS. by bcrowell · 2009-02-24 17:17 · Score: 4, Insightful

Don't have anonymous sex with strangers in bath-houses. Or if you must have anonymous sex with strangers in bath-houses use a condom. This has been a public service message.
In other words, don't use AR. Use Evince (on Linux) or Sumatra PDF (Windows). If you must use AR, go to Edit, Preferences, JavaScript, and uncheck "Enable Acrobat JavaScript".
No, none of this has much to do with PDF's merits as a file format. Embedding JS in PDF was a mistake. The mistake won't hurt you if you take these elementary precautions.

--
Find free books.