Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

zero-day hole in Windows ..

0 views
Skip to first unread message

Doug Mentohl

unread,
Feb 21, 2009, 9:15:26 AM2/21/09
to
"Adobe has identified a critical security vulnerability in all recent
versions of Acrobat and Reader, the company's software for creating and
viewing files in portable document format, on all platforms, including
Windows, Linux, and Mac OS X .."

Meanwhile, users of Mac OS X can do a couple things to mitigate the issue ..

http://arstechnica.com/security/news/2009/02/adobe-issues-critical-security-alert-for-acrobat-and-reader.ars

When successful, the following files are dropped and installed ..
svchost.exe (Backdoor-DTJ trojan) ..

http://vil.nai.com/vil/content/v_153842.htm
--

Where's the Mac OS X and Linux working version ?

Ezekiel

unread,
Feb 21, 2009, 9:22:52 AM2/21/09
to

"Doug Mentohl" <doug_m...@linuxmail.org> wrote in message
news:gnp29u$dbv$1...@news.datemas.de...

> "Adobe has identified a critical security vulnerability in all recent
> versions of Acrobat and Reader, the company's software for creating and
> viewing files in portable document format, on all platforms, including
> Windows, Linux, and Mac OS X .."
>
> Meanwhile, users of Mac OS X can do a couple things to mitigate the issue
> ..
>
> http://arstechnica.com/security/news/2009/02/adobe-issues-critical-security-alert-for-acrobat-and-reader.ars
>

---> "Adobe has identified a critical security vulnerability in all recent
versions of Acrobat and Reader ... including Windows, **LINUX**, and Mac
OS X .."

Doug Mentohl

unread,
Feb 21, 2009, 9:28:54 AM2/21/09
to
Ezekiel wrote:

> ---> "Adobe has identified a critical security vulnerability in all recent versions of Acrobat and Reader ... including Windows, **LINUX**, and Mac OS X .."

Where's the Mac OS X and Linux working version ?

Ezekiel

unread,
Feb 21, 2009, 9:34:15 AM2/21/09
to

"Doug Mentohl" <doug_m...@linuxmail.org> wrote in message
news:gnp335$e47$3...@news.datemas.de...

Exactly what part of the statement that this vulnerability exists in *all*
versions including those for LINUX and OSX is too difficult for you to
comprehend?

Doug Mentohl

unread,
Feb 21, 2009, 9:41:24 AM2/21/09
to
Ezekiel wrote:

> Exactly what part of the statement that this vulnerability exists in *all* versions including those for LINUX and OSX is too difficult for you to comprehend?

"When successful, the following files are dropped and installed:
%UserProfile%\Local Settings\Temp\svchost.exe (Backdoor-DTJ trojan) "

Where's the Mac OS X and Linux working version. How do I get svchost.exe
to execute the same zero-day behavour on a Mac or Linux OS. Provide a
link to a working exploit.

Peter Köhlmann

unread,
Feb 21, 2009, 10:34:44 AM2/21/09
to
Ezekiel wrote:

/quote


When successful, the following files are dropped and installed ..

%UserProfile%\Local Settings\Temp\svchost.exe (Backdoor-DTJ trojan)
%UserProfile%\Local Settings\Temp\temp.exe (Generic Dropper.ck trojan)
/unquote

/quote
Most Linux installations already rely on a default alternative viewer.
/unquote

Well, *that* trojan will certainly have lots of fun on my linux systems
(and on OSX systems as well) because:

a) Acrobat is *not* the default PDF viewer here
b) even *if* it were, please explain how that "svchost.exe" or that
"temp.exe" will do *anything* malicious to the system

c) I couldn't care less, as I simply have no use for the Acrobat reader

Generally linux systems do *not* use the Acrobat reader. So even if that
same hole exists in the linux version, it is utterly irrelevant

So it seems it is you with the difficulties. Not that it is surprising,
though. You are stupid. Incredibly stupid.
--
Only two things are infinite,
the Universe and Stupidity.
And I'm not quite sure about the former.
- Albert Einstein


Ezekiel

unread,
Feb 21, 2009, 10:41:19 AM2/21/09
to

"Peter Köhlmann" <peter.k...@arcor.de> wrote in message
news:49a01f15$0$31864$9b4e...@newsspool3.arcor-online.net...

> Ezekiel wrote:
>
>>
>> "Doug Mentohl" <doug_m...@linuxmail.org> wrote in message
>> news:gnp335$e47$3...@news.datemas.de...
>>> Ezekiel wrote:
>>>
>>>> ---> "Adobe has identified a critical security vulnerability in all
>>>> recent versions of Acrobat and Reader ... including Windows,
>>>> **LINUX**, and Mac OS X .."
>>>
>>> Where's the Mac OS X and Linux working version ?
>>
>> Exactly what part of the statement that this vulnerability exists in
>> *all* versions including those for LINUX and OSX is too difficult for
>> you to comprehend?
>


> /quote


> Most Linux installations already rely on a default alternative viewer.
> /unquote

Most != ALL

> Well, *that* trojan will certainly have lots of fun on my linux systems
> (and on OSX systems as well) because:

> a) Acrobat is *not* the default PDF viewer here

Good for you. But this is an ADOBE ACROBAT vulnerability that affects *ALL*
platforms you idiot.

<snip unread>


Roy Schestowitz

unread,
Feb 21, 2009, 12:06:19 PM2/21/09
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

____/ Doug Mentohl on Saturday 21 February 2009 14:41 : \____

The Munchkins can go about Wine and whine.

- --
~~ Best of wishes

Roy S. Schestowitz | Linux: stop maintenance; get more actual work done
http://Schestowitz.com | RHAT Linux | PGP-Key: 0x74572E8E
17:05:01 up 14 days, 12:23, 2 users, load average: 1.79, 1.40, 1.17
http://iuron.com - Open Source knowledge engine project
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmgNIsACgkQU4xAY3RXLo4uYgCdGJSpVtEVVczWz5dpjSPYM9E4
CsMAn22SNVctr2QBdtE6zp0iGhG4kUSD
=L19k
-----END PGP SIGNATURE-----

Doctor Smith

unread,
Feb 21, 2009, 12:34:42 PM2/21/09
to
On Sat, 21 Feb 2009 17:06:19 +0000, Roy Schestowitz wrote:


> The Munchkins can go about Wine and whine.
>
> - --
> ~~ Best of wishes
>
> Roy S. Schestowitz | Linux: stop maintenance; get more actual work done

Hear anything interesting from Gartner lately Roy Schestowitz?
You will :)

Norman Peelman

unread,
Feb 21, 2009, 4:18:52 PM2/21/09
to

No, it's a vulnerability that exists in all versions of Acrobat and
Reader. Obviously it's not an OS thang.

> /quote
> When successful, the following files are dropped and installed ..
>
> %UserProfile%\Local Settings\Temp\svchost.exe (Backdoor-DTJ trojan)
> %UserProfile%\Local Settings\Temp\temp.exe (Generic Dropper.ck trojan)
> /unquote

The above folder structures don't even exist on my Linux system and
neither does the environment variable %UserProfile% (or $UserProfile or
$USERPROFILE). Kinda trumps whether Acrobat (or Reader) is being used or
not (and it's not).

--
Norman
Registered Linux user #461062

Ezekiel

unread,
Feb 21, 2009, 4:29:52 PM2/21/09
to

"Norman Peelman" <npee...@cfl.rr.com> wrote in message
news:49a06fa1$0$17033$9a6e...@unlimited.newshosting.com...

"Obviously it's not an OS thang" - which is precisely my point.


>> /quote
>> When successful, the following files are dropped and installed ..
>> %UserProfile%\Local Settings\Temp\svchost.exe (Backdoor-DTJ trojan)
>> %UserProfile%\Local Settings\Temp\temp.exe (Generic Dropper.ck trojan)
>> /unquote
>
> The above folder structures don't even exist on my Linux system and
> neither does the environment variable %UserProfile% (or $UserProfile or
> $USERPROFILE). Kinda trumps whether Acrobat (or Reader) is being used or
> not (and it's not).

Gee... if someone were to exploit this on Linux don't you think that the
file names and paths would be different? Obviously these files and
locations are not going to be the same on every platform.

Doug Mentohl

unread,
Feb 21, 2009, 4:36:58 PM2/21/09
to
Ezekiel wrote:

> Gee... if someone were to exploit this on Linux don't you think that the file names and paths would be different? Obviously these files and locations are not going to be the same on every platform.

So where is it - this zero-day Linux PDF exploit ? It's easy, remember
the five easy steps .. :)

Peter Köhlmann

unread,
Feb 21, 2009, 5:25:34 PM2/21/09
to
Doug Mentohl wrote:

Make that 7 steps.

Step 6: install Adobe Acrobat Reader
Step 7: Make it the default PDF viewer

Yes, the linux world is already shivering and fearfully awaiting the
onslaught of those svhost.exe and temp.exe files
--
Another name for a Windows tutorial is crash course


chrisv

unread,
Feb 21, 2009, 5:27:43 PM2/21/09
to
Norman Peelman wrote:

>> /quote
>> When successful, the following files are dropped and installed ..
>>
>> %UserProfile%\Local Settings\Temp\svchost.exe (Backdoor-DTJ trojan)
>> %UserProfile%\Local Settings\Temp\temp.exe (Generic Dropper.ck trojan)
>> /unquote
>
> The above folder structures don't even exist on my Linux system and
> neither does the environment variable %UserProfile% (or $UserProfile or
> $USERPROFILE). Kinda trumps whether Acrobat (or Reader) is being used or
> not (and it's not).

Yeah, I'm really shaking in my boots.

Oh well, I'm sure that the Windolts keep an install disk handy, so they
can just do a reinstall once they get screwed.

Windows works, if your time has no value.

Doctor Smith

unread,
Feb 21, 2009, 5:38:07 PM2/21/09
to

Yea, all 0.8 percent of the Linux world.
Oops sorry, that *is* the Linux world.

William Poaster

unread,
Feb 21, 2009, 6:23:06 PM2/21/09
to
On Sat, 21 Feb 2009 16:27:43 -0600, chrisv wrote:

> Norman Peelman wrote:
>
>>> /quote
>>> When successful, the following files are dropped and installed ..
>>>
>>> %UserProfile%\Local Settings\Temp\svchost.exe (Backdoor-DTJ trojan)
>>> %UserProfile%\Local Settings\Temp\temp.exe (Generic Dropper.ck trojan)
>>> /unquote
>>
>> The above folder structures don't even exist on my Linux system and
>> neither does the environment variable %UserProfile% (or $UserProfile or
>> $USERPROFILE). Kinda trumps whether Acrobat (or Reader) is being used or
>> not (and it's not).
>
> Yeah, I'm really shaking in my boots.

Oh, yeah, really scared! They're .exe files too, how am I gonna run them
& miss out on the fun? ;-)

Sinister Midget

unread,
Feb 21, 2009, 7:08:06 PM2/21/09
to
On 2009-02-21, Peter Köhlmann <peter.k...@arcor.de> claimed:

Maybe somebody should write a HELLOWORLD script, make 2 copies, name
one svhosts.exe, name the other temp.exe and distribute them to Acrobat
users. It might make the Windummies feel less insecure.

That's 5 steps, too.

--
You may be infinitely smaller than some things. But you're
infinitely larger than others.

Don Zeigler

unread,
Feb 21, 2009, 7:20:49 PM2/21/09
to
William Poaster wrote:

> Oh, yeah, really scared! They're .exe files too, how am I gonna run them
> & miss out on the fun? ;-)

Run them in WINE and see what happens. :-D
--
Regards,
[dmz]
Owner/proprietor, Trollus Amongus, LLC

...Number 6 of Borg - Why I resigned is irrelevant.

William Poaster

unread,
Feb 21, 2009, 7:54:35 PM2/21/09
to
On Sat, 21 Feb 2009 19:20:49 -0500, Don Zeigler wrote:

> William Poaster wrote:
>
>> Oh, yeah, really scared! They're .exe files too, how am I gonna run
>> them & miss out on the fun? ;-)
>
> Run them in WINE and see what happens. :-D

Oh I'm prayin' that it rains in California.....
so the grapes can grow & they can make more wine.
And I'm sittin' in a honky in ol' Chigaco ;-p

Terry Porter

unread,
Feb 21, 2009, 8:26:15 PM2/21/09
to
Don Zeigler wrote:

> William Poaster wrote:
>
>> Oh, yeah, really scared! They're .exe files too, how am I gonna run them
>> & miss out on the fun? ;-)
>
> Run them in WINE and see what happens. :-D

I did once, just for fun.

I ran some suspect exe file from a spammers email, and just sat and watched
WINE complain about not having all the DLLs this thing wanted, mainly to do
with net access and email facilities.

It was hilarious, and to think that people actually connect live Windows pcs
to the *Internet* !!!

If they could see what's happening, they would be shocked.

I then deleted my .wine directory, and typed 'wine' to get back to a nice
pure, pristine, virus free WINE install.

GBU/Linux/WINE is a window into the MS Windows underbelly.

--
If we wish to reduce our ignorance, there are people we will
indeed listen to. Trolls are not among those people, as trolls, more or
less by definition, *promote* ignorance.
Kelsey Bjarnason, C.O.L.A. 2008

Doctor Smith

unread,
Feb 21, 2009, 8:40:54 PM2/21/09
to
On Sun, 22 Feb 2009 12:26:15 +1100, Terry Porter wrote:

> Don Zeigler wrote:
>
>> William Poaster wrote:
>>
>>> Oh, yeah, really scared! They're .exe files too, how am I gonna run them
>>> & miss out on the fun? ;-)
>>
>> Run them in WINE and see what happens. :-D
>
> I did once, just for fun.
>
> I ran some suspect exe file from a spammers email, and just sat and watched
> WINE complain about not having all the DLLs this thing wanted, mainly to do
> with net access and email facilities.

You probably screwed it up Terry Porter.
You could figure out how to screw up a cast iron cannon ball.

Sinister Midget

unread,
Feb 21, 2009, 9:15:15 PM2/21/09
to
On 2009-02-22, Don Zeigler <sit...@this.computer> claimed:

> William Poaster wrote:
>
>> Oh, yeah, really scared! They're .exe files too, how am I gonna run them
>> & miss out on the fun? ;-)
>
> Run them in WINE and see what happens. :-D

Good idea. If one of our beloved Windopes will email them to me (the
one in my posts works) I'll try it out. I have no desire to install the
Windross version of Acrobat to download them myself.

I installed acroread and read all sorts of files with it, but I can't
seem to get them that way. I figgered some of our "I'm too smart to get
infected by anybody" Windummies should have a few copies by now.

--
If would help if everybody wouldn't make sweeping generalizations
all of the time.

chrisv

unread,
Feb 21, 2009, 10:52:03 PM2/21/09
to
Terry Porter wrote:

> Don Zeigler wrote:
>
>> William Poaster wrote:
>>
>>> Oh, yeah, really scared! They're .exe files too, how am I gonna run
>>> them & miss out on the fun? ;-)
>>
>> Run them in WINE and see what happens. :-D
>
> I did once, just for fun.
>
> I ran some suspect exe file from a spammers email, and just sat and
> watched WINE complain about not having all the DLLs this thing wanted,
> mainly to do with net access and email facilities.
>
> It was hilarious, and to think that people actually connect live Windows
> pcs to the *Internet* !!!
>
> If they could see what's happening, they would be shocked.
>
> I then deleted my .wine directory, and typed 'wine' to get back to a
> nice pure, pristine, virus free WINE install.
>
> GBU/Linux/WINE is a window into the MS Windows underbelly.

Some people call that "slumming". 8)

Doctor Smith

unread,
Feb 22, 2009, 10:41:56 AM2/22/09
to
On Sat, 21 Feb 2009 21:52:03 -0600, chrisv wrote:


> Some people call that "slumming". 8)

Interesting.
Most people In know call using Linux a huge waste of time.

Doug Mentohl

unread,
Feb 23, 2009, 2:53:55 PM2/23/09
to
Sinister Midget wrote:

> Maybe somebody should write a HELLOWORLD script, make 2 copies, name one svhosts.exe, name the other temp.exe and distribute them to Acrobat users. It might make the Windummies feel less insecure.

"security researcher has published a home-brewed patch for a critical
Adobe Reader vulnerability that hackers are exploiting in the wild using
malicious PDF files"

Where's the patch for Linux ?

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9128428

0 new messages