If you haven’t heard about it by now, let me clue you in: Java is a security nightmare. A few days ago, a zero-day exploit for Java 7 became widely-known. The exploit bypasses Java 7’s security sandbox and permits attackers to download and execute code without user interaction. The attack is already available in Metasploit and in the Blackhole Exploit Kit (BEK). Since it’s in BEK, users are now susceptible to this attack via so-called “drive-by” web hacks. All a user has to do is get unlucky and visit a compromised site (and there are a TON of compromised WordPress sites out there) and their machine is compromised.Read more
Unfortunately, there is no easy way to affect this Acrobat configuration change across all of your corporate PCs at once. It does make me wish that Adobe provided a Active Directory Group Policy plug-in to enforce certain configuration settings on a domain-wide basis.
- As the PDF is an otherwise well-formed document, there is no easy way to detect a malicious document with any signature-based network monitoring like True’s NSM service. The best advice I can provide is to ensure that all anti-virus signatures are up-to-date across your enterprise although the AV vendors are playing catch-up at this point, and I cannot find any definitive answer as to whether any of them can detect this exploit yet. Some people are saying that Symantec may possibly detect this in some form.
- I suspect that the largest number of deliveries of a malicious PDF would arrive via e-mail, and so I would also recommend that you remind your users via e-mail to avoid opening PDFs which arrive unexpectedly in e-mail, are from untrusted (non-business related) sources, and/or are named in such a way as to suggest that they are recreational and non-business in nature.
By far the quickest, easiest and likely (at this point) most-effective action you can take is to notify your users via e-mail as I describe in
Microsoft recently released a patch for security issue MS09-002 which is a vulnerability in Internet Explorer 7 that allows remote code execution. There is now an exploit in the wild for this vulnerability. The current version of this exploit steals personal data and exfiltrates it to a remote site. I would expect that RBN and BotNet infection vectors would also appear in short order.
If you are one of our NSM customers, please be assured that our NSM processes will be looking for this exploit code and we will be alerting you as necessary; however, this is a new exploit and is likely to change quickly as different malicious entities obtain the exploit code and change it to fit their nefarious needs. As such, it will be difficult to detect all versions of the exploit for several days.
I want to encourage you to ensure that all workstations on your corporate network are patched against this vulnerability, if at all possible. This occasion is an excellent reminder that it is always a good idea to update workstations (not servers) within one or two days of Microsoft’s Patch Tuesday security releases.
If you have no method of pushing patches to machines, I would encourage you to send an e-mail to your users reminding them to refrain from visiting non-business-related websites as much as possible to reduce the risk of infection by this (and other) exploits.
The patch for MS09-002 is available via Windows Update and/or Windows Software Update Services (WSUS) if your organization distributes patches internally.