On Tue, Feb 24, 2009 at 2:26 AM, Juha-Matti Laurio < [email protected]> wrote:
> It appears that the first Milw0rm PoC is surely related to JBIG2, US-CERT's > http://www.kb.cert.org/vuls/id/905281 > points to Milw0rm's #8090. > > Indeed. Shadowserver's 2009.2.21 post ( http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090221) confirms this: We knew it would not take too long -- the details of the vulnerable function > and enough information to potentially recreate the exploit have now been > published publicly. While we intentionally did not release these details, > they are out there now In the same post, they speculate that this exploit has been in active use since December or January. Matthew Watchinski, in a comment on Sourcefire's VRT blog confirms this: After re-scanning the zoo after the publishing of Exploit.DF-26,27,28 > for ClamAv, the VRT located numerous samples dating as far back as > January 2009. That being said, can anyone confirm that Adobe 7 is vulnerable? My personal testing with the Milw0rm #8090 PoC seems to imply that its not. I get the message, "Insufficient data for an image" and Reader doesn't crash. The remainder of the PDF (minus the first page) displays just fine. However, Adobe mentions 7 in their advisory. Perhaps its exploitable, but the methodology is slightly different? Checkfree was hacked in Dec '08 [1] (DNS redirect sending users to a malicious site), and although it was not commonly reported in the press at the time, I was told by a company rep that the redirect was to a malicious PDF file. In hindsight, it seems that this might have been the same exploit we're dealing with now. -Nick [1] http://voices.washingtonpost.com/securityfix/2008/12/hackers_hijacked_large_e-bill.html?hpid=sec-tech
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
