Two major security threats involving Adobe PDFs and Google Gmail have been found by GNUCITIZEN. The group is describing these as two of the most significant bugs found in recent IT security history.
Do not open any PDF files and delete immediately every single conversation from your Gmail account.
According to security expert Petko D. Petkov: "Web mail accounts sometimes are even more valuable than a banking account because they maintain access to many other online accounts such as Ebay, internet banking and social networks. PDFs on the other hand are popular as the ultimate corporation medium. They are used widely for the distribution of press releases, contracts, designs and manuals."
TECHNICAL DETAILS (provided by Petkov)
1. Zero-day PDF vulnerability: This bug can lead to the complete compromise of a Window machine. It can be triggered by simply opening an infected PDF document with Adobe's Acrobat Reader (versions 7, 8.0 and 8.1 ). Linux and Vista are safe for now, but other programs such as Foxit Reader can be affected too, even though they show a confirmation dialog which has to be accepted in order for the exploit to start running malicious code on the machine.
2. Gmail request forgery: The essence of the attack is an infection of your Gmail account with a persistent backdoor. The exploit takes advantage of Gmail filters and bypasses these protections.
Specifically, the victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim's filter list. In the example above, the attacker writes a filter, which simply looking for emails with attachments and inadvertently forwards them to other email addresses. This filter will automatically transfer all emails matching the rule. Note that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google itself.
Different in nature, both exploits can pose great risk to any corporation in terms of reputation defense. They give an instant access to the corporate most valuable assets such as trade secrets, internal contacts and many other business documents. The stolen information can be used as a part of greater strategic planning.
Google and Adobe have both acknowledged the security bugs, but only Google has been forthcoming with a patch. Thankfully, no users were affected by the bug due to the fact that no technical information was released as part of GNUCITIZEN's disclosure policies.
- Cyber criminals exchange money for exploit code. Typically, bugs such as the one discovered in PDF, could cost up to $30,000. In same cases, underground hackers can make more then $100,000 depending on the severity of the security bug that has been discovered.
- Zero-day exploits are ones in which there is no remedy and the threat has yet to be revealed. As such, they are near impossible to defend against. In the case of the PDF exploit, these can be used against a target to obtain access to corporate information. And given the ubiquity of PDF documents in modern business, such a threat could potentially expose many big organizations to attacks hereto unseen.
GNUCITIZEN group is an Information Technology security think-tank. Some of their latest research projects include the latest 0day Apple QuickTime remote code execution vulnerability, in depth analysis of Web2.0 security issues and a database of the latest client-side cross-site scripting attack vectors. The GNUCITIZEN group members have participated in numerous tiger-team session for some of the biggest financial institutions in United Kingdom and abroad.