McAfee Labs Security Advisory: MTIS09-133

Version 1
    December 17, 2009

    MTIS09-133
    Executive Summary
    Since the last McAfee® Labs Security Advisory (December 16), the following noteworthy events have taken place:
    • The Exploit-PDF.ag Trojan has gained media attention.
    • Patches are now available for vulnerabilities in Mozilla Firefox and SeaMonkey.
    • McAfee product coverage has been updated for a vulnerability in Adobe Acrobat and Adobe Reader.

    McAfee product coverage for these events:

    McAfee Product Coverage *
    ThreatName     Impor-
    tance
    DAT  BOP  Host
    IPS
    McAfee
    Network
    Security
    Platform
    McAfee
    Vulnerability
    Manager
    MNAC 2.xMcAfee
    Remediation
    Manager
    McAfee
    Policy
    Auditor
    SCAP
    MNAC
    SCAP
    MTIS09-133-AExploit-PDF.ag

    High

    Yes

    N/A

    N/A

    Yes

    UA

    UA

    N/A

    N/A

    N/A

    MTIS09-133-BMozilla libtheora RCE

    Medium

    N/A

    UA

    UA

    UA

    UA

    UA

    UA

    UA

    UA

    MTIS09-133-CMozilla liboggplay RCE

    Medium

    N/A

    UA

    UA

    UA

    UA

    UA

    UA

    UA

    UA



    McAfee Product Coverage Updates *
    ThreatAdvisoryImpor-
    tance
    DAT  BOP  Host
    IPS
    McAfee
    Network
    Security
    Platform
    McAfee
    Vulnerability
    Manager
    MNAC 2.xMcAfee
    Remediation
    Manager
    McAfee
    Policy
    Auditor
    SCAP
    MNAC
    SCAP
    MTIS09-132-A
    Adobe newPlayer() RCE
    Previous

    High

    Pend

    N/A

    Exp

    Yes

    Pend

    No

    N/A

    UA

    UA

    Current

    High

    Yes

    N/A

    Exp

    Yes

    Pend

    No

    N/A

    UA

    UA

    Exploit-PDF.ag Trojan[MTIS09-133-A]
     
    Threat Identifier(s)Exploit-PDF.ag
    Threat TypeMalware
    Risk AssessmentLow-profiled
    Main Threat VectorsE-Mail; Web; Peer-to-Peer Networks
    User Interaction RequiredYes
    Description
    Exploit-PDF.ag is malware that exploits a vulnerability in Adobe Acrobat and Reader. These maliciously crafted PDF files exploit the vulnerability CVE-2009-4324. (Full details are available from Adobe at http://www.adobe.com/support/security/advisories/apsa09-07.html.) The malware installs and executes the malicious downloader Trojan Generic Downloader.fg, which downloads further malware, detected as Generic Dropper.og.
    ImportanceHigh. This threat has gained media attention.
    McAfee Product Coverage *
       DAT filesCoverage is provided as Exploit-PDF.ag in the 5834 DAT files, released December 16.
       VSE BOPOut of scope
       Host IPSOut of scope
       McAfee Network Security
       Platform
    The UDS release of December 15 includes the signature "UDS-HTTP: Adobe Acrobat JavaScript PDF Code Execution Vulnerability," which provides partial coverage.
       McAfee Vulnerability
       Manager
    Under analysis
       MNAC 2.xUnder analysis
       McAfee Remediation
       Manager
    Out of scope
       McAfee Policy Auditor SCAPOut of scope
       MNAC SCAPOut of scope
    Additional InformationMcAfee: Exploit-PDF.ag
    Adobe: Security Advisory for Adobe Reader and Acrobat

    Back to top
    Mozilla Products "libtheora" Integer Overflow Vulnerability[MTIS09-133-B]
     
    Threat Identifier(s)CVE-2009-3389
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsE-Mail; Web
    User Interaction RequiredYes
    Description
    An integer overflow vulnerability in Mozilla Firefox and SeaMonkey may allow remote code execution. The flaw lies in an integer overflow condition in the Theora video library. When the dimensions of a video extend beyond a particular point, multipliying the video's display dimensions can cause a 32-bit integer overflow. Exploitation can occur via a specially crafted video file, possibly allowing the execution of arbitrary code. Failed exploit attempts may result in a denial-of-service (DoS) condition.
    ImportanceMedium. On December 15 Mozilla released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesOut of scope
       VSE BOPUnder analysis
       Host IPSUnder analysis
       McAfee Network Security
       Platform
    Under analysis
       McAfee Vulnerability
       Manager
    Under analysis
       MNAC 2.xUnder analysis
       McAfee Remediation
       Manager
    Under analysis
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional InformationMozilla: Mozilla Foundation Security Advisory 2009-67

    Back to top
    Mozilla Products "liboggplay" Media Library Code Execution Vulnerability[MTIS09-133-C]
     
    Threat Identifier(s)CVE-2009-3388
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsE-Mail; Web
    User Interaction RequiredYes
    Description
    A vulnerability in Mozilla Firefox and SeaMonkey may allow remote code execution. The flaw lies in specific "memory safety issues" in the liboggplay media library. Exploitation can occur via a specially crafted video file, possibly allowing the execution of arbitrary code. Failed exploit attempts may result in a denial-of-service (DoS) condition.
    ImportanceMedium. On December 15 Mozilla released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesOut of scope
       VSE BOPUnder analysis
       Host IPSUnder analysis
       McAfee Network Security
       Platform
    Under analysis
       McAfee Vulnerability
       Manager
    Under analysis
       MNAC 2.xUnder analysis
       McAfee Remediation
       Manager
    Under analysis
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional InformationMozilla: Mozilla Foundation Security Advisory 2009-66

    Back to top
    Adobe Acrobat JavaScript newPlayer() Code Execution Vulnerability[MTIS09-132-A]
     
    Threat Identifier(s)CVE-2009-4324
    Threat TypeVulnerability
    Risk AssessmentHigh
    Main Threat VectorsE-Mail; Web; Locally logged-on user
    User Interaction RequiredYes
    Description
    A vulnerability in Adobe Acrobat and Adobe Acrobat Reader may allow remote code execution. The flaw is specific to Acrobat and Acrobat Reader Versions 9.2 and earlier on Windows, Mac OS X, and Unix platforms. Upon exploitation an attacker could potentially take full control of a vulnerable system. Reports state that this vulnerabiltiy is being actively exploited in the wild. Various proof-of-concept exploits also exist.
    ImportanceHigh. This threat has gained media attention. Active exploitation has been reported from the field.
    McAfee Product Coverage *
       DAT filesCoverage for malicious PDF files is provided as Exploit-PDF.ag in the 5834 DAT files, released December 16.
       VSE BOPOut of scope
       Host IPSGeneric buffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    The UDS release of December 15 includes the signature "HTTP: Adobe Acrobat JavaScript PDF Code Execution Vulnerability," which provides coverage. The signature "HTTP: Generic PDF Evasion," released June 25, provides partial coverage.
       McAfee Vulnerability
       Manager
    An upcoming FSL/MVM package will include a vulnerability check to assess if your systems are at risk.
       MNAC 2.xCoverage not warranted at this time
       McAfee Remediation
       Manager
    Coverage not warranted at this time
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional InformationAdobe: Security Advisory for Adobe Reader and Acrobat
    The Register: Unpatched PDF flaw harnessed to launch targeted attacks

    Back to top
    Detailed descriptions of the Security Advisories can be found in the Users Guide: https://kc.mcafee.com/content/mtis/McAfee_Avert_Labs_Security_Advisory_UsersGuid e.pdf

    For more information on McAfee Avert Labs Security Advisories, see: https://kc.mcafee.com/content/mtis/McAfee_Avert_Labs_Security_Advisory_FAQ.pdf

    For McAfee Technical Support, click here.

    For Multi-National Phone Support, click here.

    McAfee values your feedback on this Security Advisory. Please reply to this mail with your comments.

    *The information provided is only for the use and convenience of McAfee's customers in connection with their McAfee products, and applies only to the threats described herein. McAfee product coverage statements are limited to known attack vectors and should not be considered comprehensive. THE INFORMATION PROVIDED HEREIN IS PROVIDED "AS IS" AND IS SUBJECT TO CHANGE WITHOUT NOTICE.

    The information contained herein is the property of McAfee, Inc. and may not be reproduced or disseminated without the expressed written consent of McAfee, Inc.

    McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the United States and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

    McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054 888.847.8766 www.mcafee.com

    ® 2009 McAfee, Inc. All rights reserved.