You have received a greeting card!

Email-based greeting-card attacks continue to be seen in great numbers. These attacks, along with other current email-based attacks, can generally be split into two groups:
  1. Attacks that try to trick the user into downloading or opening malicious attachments
  2. Attacks that try to trick the user into visiting a malicious web site
Neither attack is relies on particularly new techniques. However, many of the attacks are multi-facetted, and many rely on vulnerabilities in applications that are commonly used as plugins by the user's web browser.

Overview

There are three main reasons that organisations and individuals are likely to be adversely affected by the current round of email-based attacks.

Firstly, many of the attacks focus on vulnerabilities that are associated with unpatched versions of Acrobat Reader, Flash Player and the Java Runtime, and all of these applications are commonly accessed by a user's browser and email reader to display rich content and run web applications. This makes it more likely that users will come in contact with compromised sites or material.

Secondly, it appears that some content filters are not detecting the malicious content, which is doubly worrying considering the number of email-baits that we have seen; the emails have, for example, had .pdf files attached, or claim to contain links to various kinds of greeting cards.

Thirdly and lastly, the applications in question are less likely to be automatically patched in many organisations, as some patch regimes will focus on Operating System vulnerabilities, and these vulnerabilities are all associated with third-party products.

The good news is that patches are available, at least for the known vulnerabilities.

You can follow the links to the vendor's web sites to find out if you require patches, and how to apply them if you do:

http://www.adobe.com/support/security/bulletins/apsb07-12.html
http://www.adobe.com/support/security/bulletins/apsb07-01.html
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102934-1

Of course, although you once again probably realise this, these patches only solve problems with known exploits. Now might also be a good time to check your browser security settings to disable active-content and default plug-in activation. This may interfere with some legitimate sites/email, but such client-side functionality can always be enabled on a case-by-case basis. It can be argued that this approach is better than leaving the functionality-door open for the next exploit to waltz through, and the trend towards web-based application exploits seems to be growing.

[Continue > ]

[ < Back to Links]

Accreditation!

 
DotSec is now a signatory to the Qld State Government's GITC information technology supplier agreement. Our GITC number is Q-2554. See the GITC web page.



DotSec has been selected for inclusion in the Critical Network Vulnerability Assessment (CNVA) program, for the provision of computer network vulnerability assessments and related work. The CNVA program is managed through the Attorney-General's Department.