By Lucian Constantin

Researchers from security firm FireEye claim that attackers are actively using a remote code execution exploit that works against the latest versions of Adobe Reader 9, 10 and 11.

“Today, we identified that a PDF zero-day [vulnerability] is being exploited in the wild, and we observed successful exploitation on the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1,” the FireEye researchers said late Tuesday in a blog post.

The exploit drops and loads two DLL files on the system. One file displays a bogus error message and opens a PDF document that’s used as a decoy, the FireEye researchers said.

Remote code execution exploits regularly cause the targeted programs to crash. In this context, the fake error message and second document are most likely used to trick users into believing that the crash was the result of a simple malfunction and the program recovered successfully.

Meanwhile, the second DLL installs a malicious component that calls back to a remote domain, the FireEye researchers said.

It’s not clear how the PDF exploit is being delivered in the first place — via email or over the Web — or who were the targets of the attacks using it. FireEye did not immediately respond to a request for additional information sent Wednesday.

“We have already submitted the sample to the Adobe security team,” the FireEye researchers said in the blog post. “Before we get confirmation from Adobe and a mitigation plan is available, we suggest that you not open any unknown PDF files.”

The Adobe Product Security Incident Response Team (PSIRT) confirmed Tuesday in a blog post that it is investigating a report of a vulnerability in Adobe Reader and Acrobat XI (11.0.1) and earlier versions being exploiting in the wild. The risk to customers is being assessed, the team said.

In response to a request for a status update sent Wednesday, Heather Edell, Adobe’s senior manager of corporate communications, said that the company is still investigating.

Sandboxing is an anti-exploitation technique that isolates a program’s sensitive operations in a strictly controlled environment in order to prevent attackers from writing and executing malicious code on the underlying system even after exploiting a traditional remote code execution vulnerability in the program’s code.

A successful exploit against a sandboxed program would have to leverage multiple vulnerabilities, including one that allows the exploit to escape from the sandbox. Such sandbox bypass vulnerabilities are rare, because the code that implements the actual sandbox is usually carefully reviewed and is fairly small in length compared to the program’s overall codebase that could contain vulnerabilities.

Adobe added a sandbox mechanism to isolate write operations called Protected Mode in Adobe Reader 10. The sandbox was further expanded to cover read-only operations as well in Adobe Reader 11, through a second mechanism called Protected View.

Back in November, security researchers from Russian security firm Group-IB reported that an exploit for Adobe Reader 10 and 11 was being sold on cybercriminal forums for between US$30,000 and $50,000. The exploit’s existence was not confirmed by Adobe at the time.

“Before the introduction of the sandbox, Adobe Reader was one of the most targeted third-party applications by cybercriminals,” Bogdan Botezatu, a senior e-threat analyst at antivirus vendor BitDefender, said Wednesday via email. “If this is confirmed, the discovery of a hole in the sandbox will be of crucial importance and will definitely become massively exploited by cybercriminals.”

Botezatu believes that bypassing the Adobe Reader sandbox is a difficult task, but he expected this to happen at some point because the large number of Adobe Reader installations makes the product an attractive target for cybercriminals. “No matter how much companies invest in testing, they still can’t ensure that their applications are bug free when deployed on production machines,” he said.

Unfortunately Adobe Reader users don’t have many options to protect themselves if a sandbox bypassing exploit actually exists, except for being extremely careful of what files and links they open, Botezatu said. Users should update their installations as soon as a patch becomes available, he said.

U.S. President Barack Obama has signed an executive order requiring federal agencies to share cyberthreat information with private companies and to create a cybersecurity framework focused on reducing risks to companies providing critical infrastructure.

The cybersecurity framework would be voluntary for some operators of critical infrastructure, but the order also requires federal agencies overseeing critical infrastructure to identify the operators and industries most at risk and to explore whether the government can require those companies to adopt the framework.

The agencies will focus on critical infrastructure “where a cybersecurity incident could reasonably result in a catastrophic regional or national effect on public health or safety, economic security, or national security,” said the order, signed by Obama just before his State of the Union speech Tuesday evening.

Enemies of the U.S. want to “sabotage” the country’s power grid, financial networks and air-traffic control systems, Obama said during the speech. “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy,” he said.

Obama called on the U.S. Congress to pass additional laws to secure U.S. networks, although he didn’t lay out details.

The order tasks the U.S. National Institute of Standards and Technology (NIST) to lead in the creation of the cybersecurity framework for operators of critical infrastructure, with the framework based on “voluntary consensus standards and industry best practices.” The framework will be developed with public input, the order said.

The order also directs the secretary of homeland security, the attorney general, the director of national intelligence and the secretary of defense to share cyberthreat information with private companies in the U.S.

One Republican lawmaker raised concerns that the order will create new regulations for U.S. businesses. Representative Michael McCaul, chairman of the House of Representatives Homeland Security Committee, also questioned Obama’s authority to give businesses the legal protections they need to share cyberthreat information.

“I am concerned that the order could open the door to increased regulations that would stifle innovation, burden businesses, and fail to keep pace with evolving cyberthreats,” McCaul, of Texas, said in a statement.

Two lawmakers are expected to introduce a cyberthreat sharing bill on Wednesday, McCaul noted.

McCaul said he’s pleased that the order focuses on sharing cyberthreat information.

The American Civil Liberties Union praised Obama’s approach, saying it would better protect privacy than the controversial Cyber Intelligence Sharing and Protection Act (CISPA), to be introduced Wednesday. The order focuses on established fair information practices, the group said.

“The president’s executive order rightly focuses on cybersecurity solutions that don’t negatively impact civil liberties,” ACLU legislative counsel Michelle Richardson said in a statement. “Greasing the wheels of information sharing from the government to the private sector is a privacy-neutral way to distribute critical cyber information.”

January 20, 2013 | By Fred Donovan

Around 59 percent of knowledge workers said that the use of smartphones and tablets increases their productivity and 27 percent said that working remotely makes work easier, according to a survey conducted by IDC on behalf of Samsung of knowledge workers.

A majority of knowledge workers said that mobility is important for them to do their jobs, with 13.5 percent noting that it is “mission critical,”

More than one-third of workers said that their biggest challenge at work is not having access to necessary information remotely when they need it.

Your next best business partners may be in London or Dubai. Or maybe they’re in Australia, Brazil or South Africa. You can learn about them during International Networking Week®, which starts Feb. 4, 2013.  And you just might meet them during International Networking Day, Feb. 7, at the Cobb Galleria.

The goal of International Networking Week® is to recognize the key role networking plays in the development and success of businesses around the world.  During the week global events will bring together representatives of businesses, governments, and communities to understand the concepts of good networking and put them to work.  Key networking experts will offer advice and information on how businesses can grow and succeed through good networking practices. In between presentations, everyone in the room will have the opportunity to use the magic of modern communications technology to meet people at sessions in other countries and find those with compatible business opportunities and goals.

You can find more information about International Networking Week and International Networking Day from postings on this website. We encourage you to subscribe to our mailing list for updates – and we strongly encourage you to sign up to attend our Galleria event, Feb. 7.  To step up your involvement and maximize your attendance become a sponsor. Your sponsorship will raise your visibility as an international business resource as well as provide you with a robust package of PR.  (See Sponsor page.) Contact us about our sponsorship program. We’re more than happy to answer your questions and show you your benefits.

The purpose of International Networking Week® is to raise the profile of networking in the wider community, recognizing it as an essential tool for success in today’s business climate.

Microsoft today patched 12 vulnerabilities in Windows, Office and several server and development products, but as it hinted last week, did not come up with a fix for the Internet Explorer (IE) bug that cyber criminals have been exploiting for at least a month.

Today was also a spring tide of sorts for patching, as Microsoft’s updates were just some that vendors pushed to customers. Adobe also issued updates for Flash Player, Adobe Reader and Adobe Acrobat; Google shipped a new version of Chrome; and Mozilla delivered the next iteration of Firefox.

“More vendors are aligning with Patch Tuesday,” said Jason Miller, VMware’s manager of research and development. “That’s not necessarily a bad thing, but with so many, it makes it harder to get your hands around what needs to be patched.”

Two of Microsoft’s seven security updates were marked “critical,” Microsoft’s highest-threat rating. The other five were tagged “important.” Of the 12 vulnerabilities, only three were critical.

Security experts voted MS13-002, one of the two critical updates, as requiring immediate attention. The one-vulnerability update addressed a bug in XML Core Services (MSXML) in every supported edition of Windows, from the 11-year-old Windows XP to the two-month-old Windows 8 and Windows RT.

MSXML was last patched by MS12-043, another critical update, released in July. That vulnerability was one of several allegedly uncovered, then exploited, by an elite hacker group dubbed “Elderwood” by Symantec, which in September said the gang had an inexhaustible supply of “zero-day” bugs at its disposal.

“MS13-002 is at the top of the list because it affects so many components, applications and operating systems,” said Andrew Storms, director of security operations at nCircle Security. Last week, Storms put his money on XML or GDI as the likely culprits for what Microsoft called “Bulletin 2″ in its monthly advance notification for today’s fixes.

Miller agreed. “Many users will have multiple XML Cores on their system, so there may be more than one patch applied,” he warned.

MS13-002 affected not only Windows, but as Storms and Miller said, also Office 2003 and Office 2007; Expression Web, part of the Expression Studio web development suite; and SharePoint Server 2007, Groove Server 2007 and System Center Operations Manager 2007.

A few researchers dissented on the first-to-patch roll call. Paul Henry, a security and forensic analyst at Lumension, picked MS13-001 instead.

“[This] is probably the most important vulnerability,” Henry said in an email. “From an attack perspective, you could create a bunch of print jobs with malformed headers, send them to the network printer so they queue up in order, and if someone else on the network prints to the same printer, Print Spooler will actually go through and enumerate all the pending print jobs, which gives you the remote code execution.”

Storms and Miller, who both picked MS13-001 for this month’s No. 2 spot, thought the single-vulnerability update was as interesting as did Microsoft, which detailed the bug on its Security Research & Defense blog today.

The vulnerability in Windows Print Spooler — but only in the code contained within Windows 7 and Windows Server 2008 R2 — could be used by attackers, who must already have network access, to spread malware within an enterprise, where shared printers and multi-function devices are a dime a dozen.

“[MS13-001] was disconcerting at first, reminded me of Stuxnet,” said Storms, talking about the notorious worm of 2010 believed to have been jointly created by the U.S. and Israeli governments to sabotage Iran’s nuclear program. Stuxnet relied on several vulnerabilities to infect and spread, including a print spooler bug.

“But it’s more like a ‘watering hole,’ where [an attacker] puts something malicious in the spooler and the next user who comes along gets infected,” said Storm.

Microsoft security engineers Ali Rahbar and Jonathan Ness called the attack vector for the MS13-001 vulnerability “a little different than previous spooler service vulnerabilities” when they explained why they devoted a blog to it.

Rahbar and Ness said that the bug could not be triggered unless a Windows 7 or Server 2008 R2 customer had “third-party software installed on the client that enumerates print jobs differently than built-in Windows components.”

They did not name names — something Microsoft’s always hesitant to do, said Miller — but were talking about proprietary printer drivers and utilities included with printers sold by the likes of Hewlett-Packard, Epson and others.

“Essentially those DVDs you get with the printer are what will trigger this,” said Storms. The flaw, however, is not in that software, but in Microsoft’s.

Other updates released Tuesday included one that quashed four bugs in the .Net development framework, which is bundled with every edition of Windows; another in Windows’ kernel-mode driver that affected Vista, Windows 7, Windows 8 and Windows RT; and others that addressed vulnerabilities in System Center Operations Manager and the Open Data (OData) protocol.

Today’s patches didn’t end with Microsoft. Several other vendors also delivered updates. Adobe, for example, again patched Flash Player, the media software baked into Google’s Chrome and Microsoft’s IE10. And Mozilla pushed out Firefox 18, the newest edition of its every-six-weeks browser.

Among the torrent of patches, one not offered today was for the IE6, IE7 and IE8 zero-day bug that hackers have been exploiting since at least Dec. 7.

Neither Storms nor Miller thought Microsoft could wait until the next round of scheduled updates on Feb. 12, five weeks from today, to patch the IE bug — not with reports of attacks coming from additional compromised websites, as well as claims by Exodus Intelligence that it’s crafted exploits that sidestep both workarounds Microsoft has urged customers to use until a patch is provided.

“I wouldn’t be surprised if they go ‘out-of-band,’” said Storms, using the term for an emergency update. “They won’t want to wait for five weeks, and there’s enough pressure on them now to work on an out-of-band.”

“They will go out of band on this,” asserted Miller. “Windows XP users can’t get to IE9, and there are a lot still running XP. I think they’ll [have a patch] as soon as next week, and no later than two weeks.”

IE9 and IE10 do not contain the bug, which according to Symantec, was used by the Elderwood group for cyber espionage. But because IE9 won’t run on Windows XP, those customers are stuck with a vulnerable browser. Data from Web analytics company Net Applications puts XP’s online usage share at 39% in December, meaning nearly four out of every 10 personal computer users runs the aged OS.

January’s security updates can be downloaded and installed through the Microsoft Update and Windows Update services, as well as via WSUS (Windows Server Update Services), the de facto patching mechanism for businesses.