cancel
Showing results for 
Search instead for 
Did you mean: 

McAfee Labs Security Advisory: MTIS09-133

December 17, 2009

MTIS09-133
Executive Summary
Since the last McAfee® Labs Security Advisory (December 16), the following noteworthy events have taken place:
  • The Exploit-PDF.ag Trojan has gained media attention.
  • Patches are now available for vulnerabilities in Mozilla Firefox and SeaMonkey.
  • McAfee product coverage has been updated for a vulnerability in Adobe Acrobat and Adobe Reader.

McAfee product coverage for these events:

McAfee Product Coverage *
ThreatName     Impor-
tance
DAT  BOP  Host
IPS
McAfee
Network
Security
Platform
McAfee
Vulnerability
Manager
MNAC 2.xMcAfee
Remediation
Manager
McAfee
Policy
Auditor
SCAP
MNAC
SCAP
MTIS09-133-AExploit-PDF.ag

High

Yes

N/A

N/A

Yes

UA

UA

N/A

N/A

N/A

MTIS09-133-BMozilla libtheora RCE

Medium

N/A

UA

UA

UA

UA

UA

UA

UA

UA

MTIS09-133-CMozilla liboggplay RCE

Medium

N/A

UA

UA

UA

UA

UA

UA

UA

UA



McAfee Product Coverage Updates *
ThreatAdvisoryImpor-
tance
DAT  BOP  Host
IPS
McAfee
Network
Security
Platform
McAfee
Vulnerability
Manager
MNAC 2.xMcAfee
Remediation
Manager
McAfee
Policy
Auditor
SCAP
MNAC
SCAP
MTIS09-132-A
Adobe newPlayer() RCE
Previous

High

Pend

N/A

Exp

Yes

Pend

No

N/A

UA

UA

Current

High

Yes

N/A

Exp

Yes

Pend

No

N/A

UA

UA

Exploit-PDF.ag Trojan[MTIS09-133-A]
 
Threat Identifier(s)Exploit-PDF.ag
Threat TypeMalware
Risk AssessmentLow-profiled
Main Threat VectorsE-Mail; Web; Peer-to-Peer Networks
User Interaction RequiredYes
Description
Exploit-PDF.ag is malware that exploits a vulnerability in Adobe Acrobat and Reader. These maliciously crafted PDF files exploit the vulnerability CVE-2009-4324. (Full details are available from Adobe at http://www.adobe.com/support/security/advisories/apsa09-07.html.) The malware installs and executes the malicious downloader Trojan Generic Downloader.fg, which downloads further malware, detected as Generic Dropper.og.
ImportanceHigh. This threat has gained media attention.
McAfee Product Coverage *
   DAT filesCoverage is provided as Exploit-PDF.ag in the 5834 DAT files, released December 16.
   VSE BOPOut of scope
   Host IPSOut of scope
   McAfee Network Security
   Platform
The UDS release of December 15 includes the signature "UDS-HTTP: Adobe Acrobat JavaScript PDF Code Execution Vulnerability," which provides partial coverage.
   McAfee Vulnerability
   Manager
Under analysis
   MNAC 2.xUnder analysis
   McAfee Remediation
   Manager
Out of scope
   McAfee Policy Auditor SCAPOut of scope
   MNAC SCAPOut of scope
Additional InformationMcAfee: Exploit-PDF.ag
Adobe: Security Advisory for Adobe Reader and Acrobat

Back to top
Mozilla Products "libtheora" Integer Overflow Vulnerability[MTIS09-133-B]
 
Threat Identifier(s)CVE-2009-3389
Threat TypeVulnerability
Risk AssessmentMedium
Main Threat VectorsE-Mail; Web
User Interaction RequiredYes
Description
An integer overflow vulnerability in Mozilla Firefox and SeaMonkey may allow remote code execution. The flaw lies in an integer overflow condition in the Theora video library. When the dimensions of a video extend beyond a particular point, multipliying the video's display dimensions can cause a 32-bit integer overflow. Exploitation can occur via a specially crafted video file, possibly allowing the execution of arbitrary code. Failed exploit attempts may result in a denial-of-service (DoS) condition.
ImportanceMedium. On December 15 Mozilla released a patch that fixes the issue.
McAfee Product Coverage *
   DAT filesOut of scope
   VSE BOPUnder analysis
   Host IPSUnder analysis
   McAfee Network Security
   Platform
Under analysis
   McAfee Vulnerability
   Manager
Under analysis
   MNAC 2.xUnder analysis
   McAfee Remediation
   Manager
Under analysis
   McAfee Policy Auditor SCAPUnder analysis
   MNAC SCAPUnder analysis
Additional InformationMozilla: Mozilla Foundation Security Advisory 2009-67

Back to top
Mozilla Products "liboggplay" Media Library Code Execution Vulnerability[MTIS09-133-C]
 
Threat Identifier(s)CVE-2009-3388
Threat TypeVulnerability
Risk AssessmentMedium
Main Threat VectorsE-Mail; Web
User Interaction RequiredYes
Description
A vulnerability in Mozilla Firefox and SeaMonkey may allow remote code execution. The flaw lies in specific "memory safety issues" in the liboggplay media library. Exploitation can occur via a specially crafted video file, possibly allowing the execution of arbitrary code. Failed exploit attempts may result in a denial-of-service (DoS) condition.
ImportanceMedium. On December 15 Mozilla released a patch that fixes the issue.
McAfee Product Coverage *
   DAT filesOut of scope
   VSE BOPUnder analysis
   Host IPSUnder analysis
   McAfee Network Security
   Platform
Under analysis
   McAfee Vulnerability
   Manager
Under analysis
   MNAC 2.xUnder analysis
   McAfee Remediation
   Manager
Under analysis
   McAfee Policy Auditor SCAPUnder analysis
   MNAC SCAPUnder analysis
Additional InformationMozilla: Mozilla Foundation Security Advisory 2009-66

Back to top
Adobe Acrobat JavaScript newPlayer() Code Execution Vulnerability[MTIS09-132-A]
 
Threat Identifier(s)CVE-2009-4324
Threat TypeVulnerability
Risk AssessmentHigh
Main Threat VectorsE-Mail; Web; Locally logged-on user
User Interaction RequiredYes
Description
A vulnerability in Adobe Acrobat and Adobe Acrobat Reader may allow remote code execution. The flaw is specific to Acrobat and Acrobat Reader Versions 9.2 and earlier on Windows, Mac OS X, and Unix platforms. Upon exploitation an attacker could potentially take full control of a vulnerable system. Reports state that this vulnerabiltiy is being actively exploited in the wild. Various proof-of-concept exploits also exist.
ImportanceHigh. This threat has gained media attention. Active exploitation has been reported from the field.
McAfee Product Coverage *
   DAT filesCoverage for malicious PDF files is provided as Exploit-PDF.ag in the 5834 DAT files, released December 16.
   VSE BOPOut of scope
   Host IPSGeneric buffer overflow protection is expected to cover code-execution exploits.
   McAfee Network Security
   Platform
The UDS release of December 15 includes the signature "HTTP: Adobe Acrobat JavaScript PDF Code Execution Vulnerability," which provides coverage. The signature "HTTP: Generic PDF Evasion," released June 25, provides partial coverage.
   McAfee Vulnerability
   Manager
An upcoming FSL/MVM package will include a vulnerability check to assess if your systems are at risk.
   MNAC 2.xCoverage not warranted at this time
   McAfee Remediation
   Manager
Coverage not warranted at this time
   McAfee Policy Auditor SCAPUnder analysis
   MNAC SCAPUnder analysis
Additional InformationAdobe: Security Advisory for Adobe Reader and Acrobat
The Register: Unpatched PDF flaw harnessed to launch targeted attacks

Back to top
Detailed descriptions of the Security Advisories can be found in the Users Guide: https://kc.mcafee.com/content/mtis/McAfee_Avert_Labs_Security_Advisory_UsersGuide.pdf

For more information on McAfee Avert Labs Security Advisories, see: https://kc.mcafee.com/content/mtis/McAfee_Avert_Labs_Security_Advisory_FAQ.pdf

For McAfee Technical Support, click here.

For Multi-National Phone Support, click here.

McAfee values your feedback on this Security Advisory. Please reply to this mail with your comments.

*The information provided is only for the use and convenience of McAfee's customers in connection with their McAfee products, and applies only to the threats described herein. McAfee product coverage statements are limited to known attack vectors and should not be considered comprehensive. THE INFORMATION PROVIDED HEREIN IS PROVIDED "AS IS" AND IS SUBJECT TO CHANGE WITHOUT NOTICE.

The information contained herein is the property of McAfee, Inc. and may not be reproduced or disseminated without the expressed written consent of McAfee, Inc.

McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the United States and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054 888.847.8766 www.mcafee.com

® 2009 McAfee, Inc. All rights reserved.

Version history
Revision #:
1 of 1
Last update:
‎12-18-2009 08:19 AM
Updated by: