Update:
Funny pages used to launch PDF attack on latest vulnerability.(IMG:Adobe)
We got an email from King Features with a little more detail on the incident. This is the statement they have sent to clients.
"On Thursday, December 17, at 10:40am EST, King Features was notified that its product Comics Kingdom, was serving up malware via OpenX (King's ad server) to its client sites. After quickly determining the source of the malware, King Features immediately disabled the Comics Kingdom marketing ads and shut down the ad server. We sincerely apologize for any inconvenience this may have caused. Please be assured that Comics Kingdom itself was not compromised and it is safe to host our content on your site."
"Further investigation revealed that, through a security exploit in the ad server application, hackers had injected a malicious code into our ad database. We took immediate steps to remove the malicious code, test the database and update the ad server program. At this point, the ad server will stay down until we are sure the security exploit has been patched and tested by the manufacturer of the application."
Original Article:
Code injected into systems owned by King Features was used to deliver payloads designed to exploit the recently disclosed PDF vulnerability on Thursday, prompting one site carrying the syndicated comics to remove them completely.
Last week, The Tech Herald reported on the newest Adobe vulnerability, and the fact that there was to be no planned fix for the issue until January at the least. Adobe has confirmed that there will indeed be a fix for the problem released on January 12, but until then the only advice is to disable JavaScript, or according to various other experts, leave Adobe’s platform and use a different PDF reader.
According to The Shadowserver Foundation, the vulnerability is actually in a JavaScript function within Adobe’s code. In addition to that, “…the vulnerable JavaScript is obfuscated inside a zlib stream making universal detection and intrusion detection signatures much more difficult.”
Another interesting aspect to the attacks on the PDF vulnerability is that the payload seen in most of them delivers three files, which upon inspection look like Windows system files. The system files, according to security vendor Webroot, are crafted to look legit, even down to the digital signature from Microsoft on the security certificate. The fake signature is shipped with two of the three payload files. [More information here.]
While the vulnerability was disclosed on December 11, there have been a number of attacks online, and the most recent one appeared just 48-hours after Adobe acknowledged the PDF flaw.
Timesunion.com, a news pub based out of Albany, N.Y., said on Friday that visitors to the site’s comics section on Thursday morning began reporting malicious downloads while viewing comics presented by Kings Features. “After investigating the issue, King Features officials reported that malicious code was injected into their databases. They now believe that they have corrected the problem, but the comics will remain off the site for the time being. The malicious software is part of an active attack by hackers and is designed to exploit a vulnerability in the Adobe Acrobat Reader software used to view .PDF files,” a Timesunion.com notice reads.
We’ve asked Kings Features for a status update, and if they respond we’ll add their information to this story.
In the meantime, other than using an alternate PDF viewer, you should disable JavaScript in all Adobe products where the option is available.
In Acrobat Reader you can do so by opening Reader, clicking Edit, and going to Preferences. From there, click on JavaScript and uncheck the box that says “Enable Acrobat JavaScript”.
Our advice? If you stick with Adobe, leave JavaScript disabled.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Comment on this Story