Microsoft confirms PDF attacks, urges caution

Microsoft confirms PDF attacks, urges caution

Summary: In the wake of this week's malware attacks using rigged PDF files, Microsoft has updated its security advisory to stress that the underlying flaw -- in the Windows operating system -- is still not fixed.

SHARE:

Microsoft confirms PDF attacks, urges cautionIn the wake of this week's malware attacks using rigged PDF files, Microsoft has updated its security advisory to stress that the underlying flaw -- in the Windows operating system -- is still not fixed.

The advisory, first issued on October 10, points to an unpatched code execution hole in Windows XP and Windows Server 2003 (with Windows Internet Explorer 7 installed). While applications like Adobe Reader/Acrobat are currently being used as the vector for attack, Microsoft is making it clear that patches from third-party vendors aren't a cure-all for this bug.

"[B]ecause the vulnerability mentioned in this advisory is in the Microsoft Windows ShellExecute function, these third party updates do not resolve the vulnerability - they just close an attack vector," says Bill Sisk, a member of Redmond's security response communications team.

[ SEE: MS Outlook flaw adds new twist to URI handling saga ]

Following the PDF-borne attacks, which use a combination of Trojan downloaders and rootkits to steal data from infected computer, Sisk said Microsoft triggered its Software Security Incident Response Plan (SSIRP), a process that handles all aspects of response to an computer/Internet attack.

As part of our SSIRP process we currently have teams worldwide who are working around the clock to develop an update of appropriate quality for broad distribution. Because ShellExecute is a core part of Windows, our development and testing teams are taking extra care to minimize application compatibility issues.

To help protect yourself during the interim we continue to recommend that you should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources and/or visiting untrusted websites. This is absolutely one of the most effective ways to help protect yourself from a variety of threats on the Internet today.

Sisk described the PDF exploit as "active" but "fairly limited" and said Microsoft is working around the clock to monitor the situation and get a patch out the door.

Microsoft's next scheduled patch release date is Tuesday November 13, 2007 -- a full 18 days away. An out-of-cycle patch could be forthcoming but this is unlikely unless the attacks intensify.

[ UPDATE: October 26, 2007 @ 12:30 PM ]  Anti-virus vendor F-Secure is warning that malicious PDFs are currently being "massively spammed."

Topics: Software, Microsoft, Operating Systems, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

122 comments
Log in or register to join the discussion
  • Oh no, say it isn't so

    <i>underlying flaw--in the Windows operating system--is still not fixed.</i>

    No news here. Everyone knows the Windows OS has more holes then a chunk of Swiss cheese. Redmonds need to dump all the old code, give the middle finger to all legacy users and start from scratch. Until then, Windows will be nothing but crap.
    DarthRidiculous
    • Once again...

      ...Vista is unaffected. No Swiss cheese here. Too bad, you had a nice rant going there.
      itpro_z
      • Once again... but so true

        rant smant... the safety issues with Vista are not the problem... its the fact that as an OS Vista is a pain in the ass to work with... I've been a windows boy most of my working life and at the end of the day... if you have an OS that is simple... easy to use and WORKS... why bother with something that even with a gig of memory is so much slower than the system it is replacing at 512mb? Its like XP on a 256mb (if not worse)
        jasmic@...
        • Once again... but so true - PS

          it should be mentioned that Leopard will work on Mac's up to 3 years old... can Vista say the same???
          jasmic@...
          • PS

            No, I did not try to upgrade my old XP machine to Vista, although it did meet specs and probably would have worked fine, although a little slow. I built a new system for Vista, and have been very happy with its performance.

            My old XP machine? I still have it, running Ubuntu 7.04, and doing very well, thank you. I haven't yet upgraded it to 7.10, but will have that happy task soon. I would also happily consider OSX, if only I didn't have run it on Apple's over priced and limited hardware. I prefer to build my own systems, something that you Mac fans would not understand.
            itpro_z
          • I ask a favor

            If you haven't tried PCLinuxOS please do and tell me what u think. As for the issue of scraping the code and starting over there are already other OS's out there to choose from. windows, leopard, and linux distros are just 3 of many. I like Linux for the way the files and settings are organized as well as the default security settings. Professionals using windows are secure, the average user is an eventual target.
            Hrothgar - PCLinuxOS User
          • I'll take a look

            I haven't yet tried PCLinuxOS, but have used RedHat and Ubuntu. That is one issue with Linux: there are so many versions that it is hard to try them all. I am also interested in Novell's SUSE because of its enterprise focus.
            itpro_z
          • you are so right!

            Vista will not run on a 3 year old MAC, that's why I have it running on my 3 year old PC.
            Snarfiorix
          • More Zealots skipping the true topic .

            You MS fanboys never seem to amaze me with all your BULL .
            Intellihence
        • So true.

          Your are right, you do need at least 2 GB to run Vista effectively. Considering that 2 GB costs, what, $50 these days, that is just outrageous! After all, that is what we all need, an OS that will run on out of date hardware!

          I do sympathize with you, having paid so much for that old Mac that it will be another 3 years before you can afford to upgrade. On the PC side, since our computers can be bought (or built, my personal choice) for a reasonable price, we can afford to upgrade our hardware more often. Hardware also improves with time, and my new system, with modern processor, video card, RAM, and storage, runs like a sports car with Vista, and will blow the doors off of your old clunker. And, yes, it is very easy to use, very fast, very stable, and WORKS with far more hardware and software than your Mac ever will.

          By the way, since you have been "a Windows boy" most of your working life, did you try to run Win98 on that old 386 with 16 MB of RAM? How about XP when it came out on your old 98 machine with 128 MB? Perhaps you haven't quite figured this out yet, but new OSs are designed for new hardware. I suppose that I could have installed Vista on my old XP machine, but I was ready to move up, and I have not been disappointed. I expect that Mac users, and Linux users, also can benefit from advances in hardware as well.
          itpro_z
    • Holes?

      I expect security flaws to be regulary found in Windows. The amount of people using it is absolutely massive, and yes, as you mentioned, the legacy issues don't help the problem. However, from my experience over the last few years at least, Microsoft has done a pretty good job of releasing a patch not long after a flaw is discovered.

      Do you really believe there's a large amount of security holes in a current patched Windows operating system that "everyone" knows about? I'm genuinely curious.
      Chaduke
      • Yes, and so do the hackers

        And we hear about them almost weekly!
        DarthRidiculous
        • ecomonies of scale

          There's hundreds of millions of MS machines, 3% just isn't a desirable target.
          rtk
          • 3% what?

            What are you talking about?
            DarthRidiculous
          • 3% is 3 years ago...

            Firstly... 3% for Mac is about 3 years ago... Apple laptops alone are hitting 20% in the US... OX has been out since 2001 (and updated regularly) and there have been loads of monetised offers out for crackers (not hackers) to try and break it... faults have been found but nothing on the scale of XP... or Vista (5 years in the making)
            jasmic@...
          • 3% is today...

            ...if you look at world market share, and are in a generous mood. Macs total share of the [b]installed base[/b] in the US has reached a little over 6%, counting the old non-Intel Macs (which still outnumber the newer models). By comparison, Vista is already hitting about 8% share, and growing rapidly (once again, installed base, not sales or distribution figures). Mac laptops have been doing better, but that 20% number you threw out is for recent sales of high end models only, not installed base.

            Interestingly, even with the recent surge in Mac sales, Macs have not managed to increase market share, and have even lost some ground, according to the New York Times. Perhaps those recent sales have really been nothing more than users of older Macs upgrading, rather than any trend of "switching".

            You are right that there have been some offers of Macs and cash for any hacker who could break OSX. One recent test resulted in both Macs and cash being "owned" in only a few hours. The only thing protecting Macs now is their miniscule market share. Vista, on the other hand, has been under constant attack, and has been quite secure so far. Even XP, with over half a billion users, has had a decent track record since SP2 (wich was free, by the way, unlike your OSX upgrades).
            itpro_z
          • Have to Agree

            Until the sales volumes rise for Macs to such a degree that the numbers get anywhere near this *miraculous* figure of 20% that the guy *plucked out of fresh air*, then Apple will never be *really* considered a viable enough target to the hacking community - and not within cooey of the sheer volume of attacks MS systems might be expected to face on any given day.

            For anyone to argue about the *strength of Mac defenses* in the face of prolonged cracking attempts would be smug to say the least.

            MS OSs have been the consistent target of countless attacks for a number of years - and it seems clear that Vista will now take the mantle as *most targeted* for new concerted attack vectors against an OS kernel.

            The simple fact is Windows OSs will always be disproportionately represented in the numbers of *holes* in the OS/OS kernel argument - and it's simply for the fact the majority of crackers in the business of OS cracking are targetting MS OSs. This is so patently obvious and yet is almost strangely omitted in most Mac fan posts boasting about the (so callled) *rock-solid* security of Mac systems.

            I imagine if Apple had the majority slice of the OS market and became the new focus of major kernel hacking - somehow i get the feeling Mac OSs wouldn't fear any better (if not a hell of alot worse) than their MS counterparts. I also firmly believe the volume of attacks would grow 'somewhat' proportionately with Apple's market share.

            I say be careful what you wish for Mac people ... because you might get exactly what you want.
            thx-1138_
          • Do they have oxygen on your planet?

            Once you've gotten some blood to your brain (I'm making an assumption), go back
            and learn basic reading comprehension. Apple's market share "other than US" is
            about 3%. That's not all users, but all non-US users. Big difference. HUGE
            difference. Truth in point, Mac sales outside the US are growing faster than in the
            US. The only source I can find that says Apple's "installed base' is 6% is Net
            Applications, Inc, which is an unscientific survey, based on visitors to sites that used
            their software. More than two years ago an "agnostic" survey estimated Apple's
            installed base at 16%. Five years ago it was at 11%. Your 6% is, uh, "specious?"

            And you're just smokin' dope when you say "Macs have not managed to increase
            market share, and have even lost some ground, according to the New York Times."
            Okay. maybe you don't smoke dope. Maybe you're just lying. From the NYT,
            October 22, 2007: "Driven in part by what analysts call a halo effect from the iPod
            and the iPhone, the market share of the company?s personal computers is surging."
            Not just sales, but "MARKET SHARE." Further, the article shows that not only are
            more and more buyers choosing Macs, they're paying nearly twice as much for the
            privilege.

            As for market indicators, as foes the US, so goes the world. Apple's market share is
            over 8%. Apple is the third best-selling computer maker. Apple's sales grew twice as
            fast as the next closest competitor. Apple's sales grew more than six times faster
            than the market as a whole. More than half of incoming freshman at Princeton
            University use Apples. More than 40% of all Princeton Students and Faculty use
            Apples. Growth of Apple users at other Ivy schools is similar.

            And please don't keep bogarting that joint. Your cited "hack" of OS X was "achieved"
            after three reductions in basic (default) security, after connecting directly through
            the local server, and didn't actually hack OS X, but a separate piece of software. No
            one, that's NO ONE, has yet to hack into and control/change the OS X operating
            system. No one got the cash, and there's never been any confirmation that anybody
            even got the promised notebooks - from c|net, no less!

            Don't look now, but your beloved Microsoft has admitted to two (2!) MAJOR security
            flaws in Vista in the past week, but won't issue a patch for at least another 14 days!
            According to Microsoft's own security response team "the vulnerability mentioned in
            this advisory is in the Microsoft Windows ShellExecute function." Windows security
            is, has been, and seems forever will be riddled with security flaws. And MS knows it
            but doesn't make changes faster than their regular (hah!) monthly schedule.

            Perhaps you're too young to remember, but you sound a lot like those who denied
            the reality of the Japanese car manufacturers in the late 70's. Toyota, Honda, et al,
            knew they had a better product, and all they needed to do was continue to make a
            better product and the market would come to them. GM, Ford, Chrysler, and AMC
            (remember AMC?) believed that all they had to do was keep cranking out the same
            old marginal product and sheer inertia would protect them. Everyone was shocked
            when Toyota passed Chrysler for #3 a few years ago. Few were surprised that they
            passed Ford for #2 this year. Most are saying it's inevitable that Toyota will be #1.

            I'll bet you're shocked Apple just passed Gateway for #3.
            JoeBob_z
          • Dear Joe Bob

            You quote lots of numbers, but no sources to back them up. How do you measure installed base? Hits to over 45,000 websites is one way, and several sites track these. I use marketshare.hitslink.com, but there are others, all showing about the same numbers. If you have something else of similar scope, I would be happy to look at it.

            As for the hacked Macs, they were standard machines, with the latest patches of OSX installed. The "separate piece of software" you refer to was Quicktime, which is a bundled part of OSX, not separate. Quicktime has also been a security risk for Windows (one of the two that you mentioned), and has been ordered removed from enterprise systems around the world. Quicktime and Safari are two good examples of Apple's complete lack of understanding about designing secure software. While it is true that there is a lack of exploits for OSX in the wild, you can thank that miniscule market share for that, not the software design.

            Apple did have a surge in sales over the summer, but then saw a huge drop last month. I expect that Leopard will cause another surge, followed by another drop. This has been Apple's trend for years. Most of those new sales are users of older Macs upgrading, a trend that will continue for a while, as non-Intel Macs still outnumber the newer machines. You rave about Apple's growth, yet HP has outpaced them in both the US and World markets. HP and Dell still dwarf Apple, and with Acer's acquisition of Gateway, Apple has dropped back to a distant fourth place again.

            I not only remember when the Japanese cars began to take over in the 70s, but owned one, a Datsun, at the time. The American car companies got caught with their pants down with the oil embargo, and had nothing to offer except large gas guzzlers. The Japanese companies offered not only fuel efficiency, but very reasonable prices to entice drivers to look at their vehicles. Compare this to today's computer market, where Apple continues to offer only "premium" computers (translation: expensive). While these systems appeal to some, for most they are simply out of their price range. As long as OSX remains tied to Apple's over priced hardware, it will remain a niche player. Why do you think that Linux is gaining so rapidly in the world market? Many people, even in the US, have a hard enough time affording a $500 computer, not to mention a $1500 iMac. Your examples of Ivy League students implies that you are out of touch with the mainstream. I have attended college classes recently, and saw no Macs, either among students or in the schools computer labs. Primary and secondary education is the same, virtually all Windows PCs.

            Is Vista totally secure? Of course not, no software is, including OSX and Linux. Windows, due to its 90% market share, has seen extreme levels of attack, and Microsoft has done a decent job of offering patches in a timely fashion. Most are released on a monthly cycle, but critical fixes are pushed out sooner, if needed. Since XP SP2, viruses have become uncommon on properly updated systems. I am responsible for a large number of users, and I haven't seen a virus at home or on our network in years. My experience is not unusual. The only ones ranting about Windows viruses are generally Mac and Linux fans, not those of us supporting systems. Keeping Windows machines secure is rather simple these days, thanks in no small part to Microsoft's efforts.

            Now, then, perhaps you will notice that I was able to reply to your post without insults and degrading comments. Your frequent drug references might explain your failure to notice that the "ShellExecute function" mentioned in the security advisory was for XP, not Vista, which is unaffected, even for those foolish enough to install Quicktime on their systems.
            itpro_z
          • @itpro_z

            You lambaste JoeBob for not citing sources. Where's your source for "Apple did
            have a surge in sales over the summer, but then saw a huge drop last month?" Just
            curious, because I've never seen monthly sales broken out.

            Also, I'm wondering how you read "the market share of the company?s personal
            computers is surging" in the Times, and understood that to mean Apple was losing
            market share. Just so you know, 'surging' means gaining, not losing.

            Also, since you don't seem to know the facts, the Mac that was "'owned' in a few
            hours" was actually untouchable for the first 24 hours. Three hours after the
            security was lowered, and [i]physical access to the machine was allowed,[/i]
            someone managed to get user, not root access.
            msalzberg