We are going to see Firefox 2.0.0.13 probably by end of this week. Check out this directory transversal code using view-sources: & resource: scheme
view-source:resource:///
translate to file:///C:/Program%20Files/Mozilla%20Firefox/

You can read/include firefox pref settings with this code. <script src=”view-source:resource:///greprefs/all.js”></script>

Workaround

Install No-script Add-ons.

Credits

Ronald van den Heetkamp at 0×000000

External Links

• Firefox 2.0.0.12 Information Leak POC

A JavaScript Buffer Overflow in Adobe Acrobat, Acrobat 3D & Reader allowed remote attacker to execute arbitrary code. The code will run with the privileges of the target user opening the PDF document.

Excerpt from iDefense Public Advisory;

Adobe Reader and Acrobat implement a version of JavaScript in the EScript.api plug-in which is based on the reference implementation used in Mozilla products. One of the methods exposed allows direct control over low level features of the object, which in turn allows execution of arbitrary code.

Workaround

Disabled Adobe Reader & Acrobat JavaScript. Perform Update ↓

Update -Adobe Acrobat & Reader version 8.1.2

Adobe released version 8.1.2 of Adobe Reader, Acrobat & Acrobat 3D to address
these vulnerabilities.

• Adobe Reader 7 and 8 users update to Adobe Reader 8.1.2
• Acrobat 8 users on Windows update to Acrobat 8.1.2
• Acrobat 8 users on Macintosh update to Acrobat 8.1.2
• Acrobat 3D version 8 users on Windows update to Acrobat 3D version 8.1.2

These vulnerabilities were discovered by Greg MacManus of VeriSign iDefense Labs.

Related Posts

• How to safely remove AcroRd32Info.exe (Adobe Reader)

External Links

• Security update available for Adobe Reader and Acrobat 8 (APSA08-01)

AcroRd32Info is a another creative pieces of crap from Adobe a package for Acrobat Reader. Embed in Windows Explorer Shell, its main role is to start an initial prefetching for PDF documents in the Memory.

To test this program behavior, you will need to open your windows task manager (ctrl+alt+del once) and browse to any folder that contained a PDF documents and stay idle. Within just few seconds AdobeRd32Info will be loaded in the background and stay in memory.That was just for browsing the folder without opening any PDF files yet.

Windows has a standard prefetch modes and its fairly stable for most of the applications out there. Having a another background prefetcher hook on explorer is plain abusive not to mention its running without the owner permissions.

Adobe Reader is cheating. Its understable that with this methods it will improve the Acrobat boot time log, but I dont see much differences when its running in the background preparing to load a single PDF documents, its a pollutions.

AcroRd32Info stay in your memory so consider it as a pestware.

Here’s how you can safely removed this programs.

The proper way

• open Adobe AcroRd32
• Edit » Preferences
• Select the internet categories in the menu list then disabled
  Allow fast web view & Allow speculative downloading in the background

If thats doesnt work, you try this unrecommended method to disabled it.

• Browse to Adobe Reader directory usually at “Program Files\Adobe\Reader\”
• Find AcroRd32Info.exe
• Rename it from AcroRd32Info.exe to Acro_Rd32Info.exe

Recent Exploit on Adobe Reader

Exploit:W32/AdobeReader.K

From FSECURE, Exploit:W32/AdobeReader.K is detection of a malicious PDF file that is being heavily spammed through e-mail and it appears as an attachment.
This malicious PDF file takes advantage of a vulnerability on the URI handling of PDF files. This vulnerability affects IE7, Adobe Acrobat, and Adobe Reader on some platforms.
Users should update their Adobe Reader installations.

Affected Software Versions

Adobe Reader 8.1 and earlier, Adobe Reader 7.0.9 and earlier. Adobe Acrobat Professional, 3D and Standard 8.1 and earlier versions, Adobe Acrobat Professional, Standard, 3D and Elements 7.0.9 and earlier.

More info on this exploits at National Vulnerability Database

Its quite rare to see website attacking visitors but the following site is an exception.

1. girlhell.org
2. 66.79.184.58
3. Apr 27 08 - usawarez.net

There is few known threads from the above website

1. JS/Exploit.ADODB.Stream NAP Trojan
2. Hidden download.
3. usawarez - False Image Checksum/corrupted

Fracois Paget from McAfee explain in great details regarding this Stream Attack and their Complete Methods. I’m quite amazed with the analysis. read it all here.