Mikko Hypponen Warns of Adobe Reader Threats

Friday, November 11, 2011



F-Secure's Mikko Hypponen urged organizations to reconsider the continued use of Adobe Reader given the tendency for attackers to exploit the application's frequent vulnerabilities.

Hypponen made the comments during the recent PacSec 2011 conference in Tokyo.

Attackers often exploit a vulnerabilities that allows malicious code to be embedded in a PDF file, which then infects the victim's computer and can create a backdoor that hackers can use to access systems and glean sensitive information.

But Hypponen says that it is not the PDF format that is the culprit, but instead it is the wide spread use of Adobe Reader that provides the attackers with the opportunity to infect a system.

"These attacks are not against PDF - these attacks are against Adobe Reader. You open this files in any other reader than Adobe Reader and there is no exploit," said Hypponen.

Hypponen also commented on the rush to judgement in attributing many headline-making attacks to the Chinese.  In most cases, it is nearly impossible to clearly determine the origin of an attack, and even more difficult to ascertain if an event was state-sponsored.

"These attacks are commonly attributed to the Chinese Government and indeed it looks like a lot of them are coming from a source like that. But whether it's the Chinese Government themselves or whether they are using what we call 'useful idiots' - like global hackers who are encouraged to do this for the Government - we don't really know," Hypponen said.

From an attackers perspective, it may be advantageous to craft an attack to appear as if it emanates from China in an effort to mask the true origin of the operation.

"I'd do everything I could to make it look like it's [from] the Chinese. Everybody is just going to assume it's [from] the Chinese, even if it's not [them]," Hypponen stated.

Proxies, routing tricks, compromised machines, and spoofed IP addresses can be coordinated to give the appearance that an attack is originating far from the actual source.

"It's also a safe bet to assume that there are other players in the field as well. Other countries are spying with exactly the same mechanisms, but they try to make their attacks look like it's [from] the Chinese because they're such an easy scapegoat," Hypponen continued.

2011 saw successful attacks against some very high profile targets, including numerous defense contractors and the now infamous case of the RSA attack.

In March of this year, RSA, the security division of EMC, announced they had suffered a breach stemming from a sophisticated attack on their network systems. What little information made available since the attack indicates that the infiltrators targeted proprietary information on RSA's SecurID two-factor authentication systems.

According to researchers from F-Secure, it was most likely an email with a short message and an infected Excel spreadsheet file.

SecurID is a product designed to prevent unauthorized access to enterprise network systems, and RSA's customers include government, military, financial, enterprise, healthcare and insurance companies.

In June, Lockheed disabled their employees remote access privileges while the company reissued new SecurID tokens to all telecommuting workers as well as requiring all employees with network access to change their passwords after detecting unauthorized access attempts.

Shortly after, defense contractor Northrop Grumman also reportedly disabled remote access to company networks, then L-3 Communications reported the company had suffered a network breach stemming from cloned RSA SecurID tokens.

"These attacks almost always have the same blueprint... They are almost always attacks that start with an email... coming from a trusted sender, from someone the recipient knows, and it speaks about normal things - work issues, projects, plans, meetings - stuff that's actually happening," Hypponen noted.

Source:  http://www.itnews.com.au/News/279623,fear-of-china-masks-the-work-of-other-web-spies.aspx

Editors note:  The source, ITNews, incorrectly identified Hypponen as the CEO of F-Secure and the error was initially repeated in this article. Hypponen's position is actually Chief Research Officer.

Possibly Related Articles:
Information Security
Adobe RSA China malware Attacks Headlines PDF Attribution SecurID Mikko Hypponen
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked