Two major security threats involving Adobe PDFs and Google Gmail have been found by GNUCITIZEN. The group is describing these as two of the most significant bugs found in recent IT security history.
Do not open any PDF files and delete immediately every single conversation from your Gmail account.
According to security expert Petko D. Petkov: "Web mail accounts sometimes are even more valuable than a banking account because they maintain access to many other online accounts such as Ebay, internet banking and social networks. PDFs on the other hand are popular as the ultimate corporation medium. They are used widely for the distribution of press releases, contracts, designs and manuals."
TECHNICAL DETAILS (provided by Petkov)
1. Zero-day PDF vulnerability: This bug can lead to the complete compromise of a Window machine. It can be triggered by simply opening an infected PDF document with Adobe's Acrobat Reader (versions 7, 8.0 and 8.1 ). Linux and Vista are safe for now, but other programs such as Foxit Reader can be affected too, even though they show a confirmation dialog which has to be accepted in order for the exploit to start running malicious code on the machine.
2. Gmail request forgery: The essence of the attack is an infection of your Gmail account with a persistent backdoor. The exploit takes advantage of Gmail filters and bypasses these protections.
Specifically, the victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim's filter list. In the example above, the attacker writes a filter, which simply looking for emails with attachments and inadvertently forwards them to other email addresses. This filter will automatically transfer all emails matching the rule. Note that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google itself.
Different in nature, both exploits can pose great risk to any corporation in terms of reputation defense. They give an instant access to the corporate most valuable assets such as trade secrets, internal contacts and many other business documents. The stolen information can be used as a part of greater strategic planning.
Google and Adobe have both acknowledged the security bugs, but only Google has been forthcoming with a patch. Thankfully, no users were affected by the bug due to the fact that no technical information was released as part of GNUCITIZEN's disclosure policies.
- Cyber criminals exchange money for exploit code. Typically, bugs such as the one discovered in PDF, could cost up to $30,000. In same cases, underground hackers can make more then $100,000 depending on the severity of the security bug that has been discovered.
- Zero-day exploits are ones in which there is no remedy and the threat has yet to be revealed. As such, they are near impossible to defend against. In the case of the PDF exploit, these can be used against a target to obtain access to corporate information. And given the ubiquity of PDF documents in modern business, such a threat could potentially expose many big organizations to attacks hereto unseen.
GNUCITIZEN group is an Information Technology security think-tank. Some of their latest research projects include the latest 0day Apple QuickTime remote code execution vulnerability, in depth analysis of Web2.0 security issues and a database of the latest client-side cross-site scripting attack vectors. The GNUCITIZEN group members have participated in numerous tiger-team session for some of the biggest financial institutions in United Kingdom and abroad.
The uprising in Burma-Myanmar reached a fevered pitch this week and reminded us of how important blogging can be. Citizen journalists on the ground reported on skirmishes and posted graphic pictures of death and bloodshed as photographers were cut down by gunfire and monks were killed, beaten, corralled and confined. We may choose not to react, or we may find ourselves impotent against a far off military regime, but we cannot claim ignorance. When the junta cut Internet access I really felt their pain. I am tethered to the Internet at least six hours a day and life without it seems inconceivable. When Myanmar blogs went black it was a cruel reminder that there are still places in the world that can enslave its people and prevent the rest of humanity from peering in.
As of today the people of Myanmar are finding a way to break through the digital iron curtain. Reports and images are coming through an adept London-based blogger, Ko Htike, who is feeding news to CNN and other mainstream media for wider distribution. Burmamyanmargenocide is a good central site that is aggregating news from inside the country. Bloggers inside Burna-Myanmar are risking their jobs, businesses, families, even their lives to get the word out. We have an obligation to pass the news to the widest possible audience.
The President of Iran, Mahmoud Ahmadinejad, zipped through my neighborhood on the upper west side of Manhattan last week, with a quick stop at Columbia. What seemed like a tailor made PR opportunity for the nuke-loving, genocide-denying, great-Satan-hating dictator turned into a humiliating turn as the President of Columbia, Lee Bollinger, excoriated his “petty tyrant” guest. Bollinger was playing to an American audience, but Ahmadinejad was playing to his constituency. The Arab world was sympathetic to the Iranian’s slight by the Great Satan and the Iranian government was emboldened enough to label the CIA and the U.S. military “terrorist organizations.” The rationale is the invasion of Iraq and Afghanistan, Abu Ghraib, and secret jails in other countries. So, there, after the ‘dialogue’ in the U.S. we are more polarized than ever. So when do we stop talking and start shooting?
Burson blows it big time
While Strumpette was lashing Ogilvy to the whipping post for pimping online gambling, and once again belittling Ronn Torossian for flacking Girls Gone Wild, Burson-Marsteller, supposedly a blue chip PR firm, was really mucking in the sleaze. Burson has been fronting a bogus organization on behalf of Microsoft to try to stop Google’s acquisition of DoubleClick. The organization was PRing for a “more transparent and competitive Internet,” but failed to tell reporters and organizations that Burson was on this mission at the behest of Microsoft. Burson was busted by The Guardian and then The Wall Street Journal followed with an in-depth piece. The organization, Initiative for Competitive Online Marketplaces (ICOMP) now says right up front on its website that this is a Burson-Microsoft scheme. The pathetic list of “signatories” to this initiative underscores its utter failure.
It seems that PR firms will always push the ethical envelope but it is up to individual account people to take responsibility for their actions. I have a simple rule in contacting the media. Within 15 seconds of the call the reporter will know: a) who I am b) who I represent c) why I am calling. No bull, no schemes, no lies. Simple. Burson’s actions here are reprehensible. I would think they know better but obviously they don’t. Let’s see if Harold Burson addresses this sad episode on his blog.
On Thursday, March 8, 2007 at 7:41 AM, Ronn Torossian, President and CEO of 5WPR, emphatically promised that he was going to sue us. No real reason, he was just irritated by our teasing him about getting in bed with pornographer Joe Francis. Anyway, Ronn gave his obscenity-laced word that we'd see the complaint in 72 hours. It's now late by
Kathleen Durazo about A Measly $2.8 Million Goes Missing, Lawsuit Results Fri, Jul 31, 10:58:34 AM Ray Durazo (the founder) sold the company to Dan in 1999. He was not involved in any of this. He (and I) found out about the lawsuit in the LA Times. In addition to embezzling this m [...]