Comments on: Latest PDF Zero Day Leads to Exploit Egg Hunt http://www.avertlabs.com/research/blog/index.php/2009/10/13/latest-pdf-zero-day-leads-to-exploit-egg-hunt/ Cutting edge security research as it happens....... Tue, 02 Mar 2010 09:26:54 -0600 http://wordpress.org/?v=2.8.3 hourly 1 By: PDF file loader to extract and analyse shellcode « c0llateral Blog http://www.avertlabs.com/research/blog/index.php/2009/10/13/latest-pdf-zero-day-leads-to-exploit-egg-hunt/comment-page-1/#comment-923734 PDF file loader to extract and analyse shellcode « c0llateral Blog Wed, 06 Jan 2010 23:19:32 +0000 http://www.avertlabs.com/research/blog/?p=2706#comment-923734 [...] you need more information please check Didier Steven’s site and this blog entry, also check Jon Paterson and Dennis Elser blog entry showing how they extracted the shellcode manually and loaded it into IDA for [...] [...] you need more information please check Didier Steven’s site and this blog entry, also check Jon Paterson and Dennis Elser blog entry showing how they extracted the shellcode manually and loaded it into IDA for [...]

]]> By: [パッチ] Adobe Reader/Acrobat 9.2 « UnderForge of Lack http://www.avertlabs.com/research/blog/index.php/2009/10/13/latest-pdf-zero-day-leads-to-exploit-egg-hunt/comment-page-1/#comment-881851 [パッチ] Adobe Reader/Acrobat 9.2 « UnderForge of Lack Wed, 21 Oct 2009 22:58:54 +0000 http://www.avertlabs.com/research/blog/?p=2706#comment-881851 [...] Latest PDF Zero Day Leads to Exploit Egg Hunt 技術検証 : Egg Hunter found signature ‘eof’ [...] [...] Latest PDF Zero Day Leads to Exploit Egg Hunt 技術検証 : Egg Hunter found signature ‘eof’ [...]

]]> By: Didier Stevens http://www.avertlabs.com/research/blog/index.php/2009/10/13/latest-pdf-zero-day-leads-to-exploit-egg-hunt/comment-page-1/#comment-879377 Didier Stevens Fri, 16 Oct 2009 12:39:20 +0000 http://www.avertlabs.com/research/blog/?p=2706#comment-879377 FYI, I've updated my PDFiD tool to detect this 0day: http://blog.didierstevens.com/2009/10/13/update-pdfid-version-0-0-9-to-detect-another-adobe-0day/ FYI, I’ve updated my PDFiD tool to detect this 0day: http://blog.didierstevens.com/2009/10/13/update-pdfid-version-0-0-9-to-detect-another-adobe-0day/

]]> By: user http://www.avertlabs.com/research/blog/index.php/2009/10/13/latest-pdf-zero-day-leads-to-exploit-egg-hunt/comment-page-1/#comment-879073 user Thu, 15 Oct 2009 19:05:26 +0000 http://www.avertlabs.com/research/blog/?p=2706#comment-879073 Can you guys point out how you guys are actually going about decoding this to make it viewable using your tool fileinsight? Thanks and love the blog very informational!! :) Can you guys point out how you guys are actually going about decoding this to make it viewable using your tool fileinsight?

Thanks and love the blog very informational!! :)

]]> By: iTinker http://www.avertlabs.com/research/blog/index.php/2009/10/13/latest-pdf-zero-day-leads-to-exploit-egg-hunt/comment-page-1/#comment-878433 iTinker Wed, 14 Oct 2009 18:33:48 +0000 http://www.avertlabs.com/research/blog/?p=2706#comment-878433 Q: what would be the effect of DEP set to 'optOut' or 'alwaysOn' on the heap spray attempt? (winXP+) "The hidden executable ...is written to disk and executed ..." Q: written where, executed by whom? If the attacked user is a "normal" user as opposed to an admin is the attack successful? What happens if a "normal" user is protected by a "line of business" Software Restriction Policy? Write+Execute should result in a security fault, preventing the attack. Is there a privilege escalation step? DEP, "normal" user and SRP are readily available mitigations/defenses against "drive by" attacks. Testing consistently against them and reporting the results would help to aquaint the non-specialist public with their use. Hopefully some will be encouraged to investigate and apply these measures, making themselves and the rest of the internet just that little bit safer. Q: what would be the effect of DEP set to ‘optOut’ or ‘alwaysOn’ on the heap spray attempt? (winXP+)

“The hidden executable …is written to disk and executed …”
Q: written where, executed by whom?
If the attacked user is a “normal” user as opposed to an admin is the attack successful?
What happens if a “normal” user is protected by a “line of business” Software Restriction Policy? Write+Execute should result in a security fault, preventing the attack. Is there a privilege escalation step?

DEP, “normal” user and SRP are readily available mitigations/defenses against “drive by” attacks. Testing consistently against them and reporting the results would help to aquaint the non-specialist public with their use. Hopefully some will be encouraged to investigate and apply these measures, making themselves and the rest of the internet just that little bit safer.

]]>