Fake Adobe Updates

Adobe's Product Security Incident Response Team (PSIRT) reports  that malicious emails are circulating claiming to be Adobe security updates, many of them signed by "James Kitchin" of "Adobe Risk Management", or a similar (presumably mythical) team.

Adobe says that the messages include links to download instructions for a security update that addresses "CVE-2010-0193 Denial of Service Vulnerability" (or similar).

It sounds as if the bad guys have done some homework: CVE-2020-0193 is a real issue – see the CVE (Common Vulnerabilities and Exposures) listing at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0193. However, it isn't particularly new, and Adobe already has a Security Bulletin at http://www.adobe.com/support/security/bulletins/apsb10-09.html that addresses it.

I'm rather surprised that Adobe didn't mention that in its blog on the current issue since the update addresses quite a few other CVE-identified issues:

CVE-2010-0190 through CVE-2010-0199
CVE-2010-0201 through CVE-2010-0204
CVE-2010-1241

While I can't vouch for the efficacy of that update or any other, clearly, it would be as well to be suspicious of any mail that mentions a new update to address any of those issues, in case any of the listed identifiers are used as "hooks" for other malicious mails. Of course, it's by no means unknown for blackhats to use made-up CVE or other vulnerability/bulletin identifiers, so the message there is not to take it for granted that an impressive identifier is real. But it's not the only take-home message.

Presumably (I haven't seen one so far) these are unsolicited messages, and no responsible company spams that sort of message out to the entire internet, or a subset of it. If you're subscribed to the Adobe Security Notification Service at http://www.adobe.com/cfusion/entitlement/index.cfm?e=szalert, you should receive email notifications that point to advisories/bulletins, but you have to subscribe first, and they will point to pages on Adobe's own adobe.com domain. (Of course, you should always beware of misleading links and redirects, too.) While I did complain here some time ago that the notification service didn't seem to be consistently updated, that issue seems to have been addressed some time ago: in fact, that's how I became aware of this particular issue.

It's not impossible, of course, that messages like this may appear to come from APNS in the hope of catching out people who are subscribed, in the same way that phishing scams are mailed out indiscriminately in the hope of catching out someone who has an account with the bank whose email and web site is spoofed.

Note also that Adobe notifications link only to advisories and bulletins: they never link directly to an executable update, or carry such an update as an attachment.

Adobe says that its product updates are only available "(1) via the product's automatic update feature or (2) from the Adobe website at http://www.adobe.com/downloads/updates/".

David Harley CISSP FBCS CITP
Research Fellow & Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
http://twitter.com/esetresearch; http://twitter.com/ESETblog
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://amtso.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/
http://chainmailcheck.wordpress.com
http://smallbluegreenblog.wordpress.com/

Author David Harley, ESET

  • Michael Vlahovic

    We had an incident where one of these e-mail got thru, and it was well crafted.
    The problem with this fake update was its use of real names and got routed to a unsuspecting user.
    My question ot the Eset staff, is how the Spammers where able to get the names and job titles for 3 major people in our organization.  Their selections they made where right on the money.
    I do not believe they are listing on the company website and wondered if  you had any idea of how they harvested these names.  Or if they had to do social engineering by calling a facility or the corporate office.
    Any feedback would help us tighten security.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

1 article related to:
Hot Topic

2FA

06 May 2010
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.