Within days of Adobe’s release of out-of-band security updates for both Acrobat and Reader, word now comes from security researcher Aviv Raff of another new vulnerability in an Adobe product.

The flaw was found in Adobe Download Manager (DLM), an application Adobe uses to deliver common applications (e.g., Flash and Reader) to users’ systems. Normally, it cannot be used to download non-Adobe files onto users’ systems. However, according to Raff, a vulnerability in DLM that allows third parties to download and install files onto users’ systems, in effect, making it vulnerable for use as a malware downloader.

Raff has not released specific details about this vulnerability and has indicated that he would not do so until the problem has been resolved by Adobe. On Tuesday, Adobe released a new security bulletin indicating that it has resolved this issue. Users who used Adobe DLM to download either Flash or Acrobat from February 23, 2010 onward are safe; everyone else is advised to remove the ADM entry in the Add/Remove Programs applet in the Windows Control Panel.

This is not the first time DLM has proven vulnerable to malicious attacks. In fact, in January this year, a remote code execution vulnerability in the application was among those Adobe patched.

This was on top of a bug that Raff also discovered earlier, which allowed DLM to be triggered to download Adobe or Adobe-approved applications by going to a specific URL on the company’s site. In a situation where an unpatched vulnerability in an Adobe product was thus present, this bug could allow cybercriminals to install vulnerable applications onto users’ systems, which they could then exploit to execute malware.

Security Has a Price—Problems with Security Updates

Trend Micro researcher Rajiv Motwani notes that the combined impact of fixing these and other similar holes in a relatively short period of time are becoming problematic for users, particularly enterprises. In theory, Adobe is supposed to release quarterly security updates for its products but regular discoveries of new flaws have significantly been undermining its plan.

Though unscheduled patches pose problems for home users and small businesses, large enterprises face greater risks. System administrators traditionally loath to use automatic updates on enterprise systems, as this may cause disruptions to important business operations.

The burden of updating systems will then fall either on users or administrators—neither of whom think this is an appealing proposition. It is also likely that systems will not be updated, leaving them wide open to exploits. A Trusteer study found that this was exactly the case for Adobe products, revealing that only 7 percent of the total number of product users had updated versions of Acrobat while only 19 percent had updated Flash versions.

These concerns are always present for applications. However, for Adobe products like Flash and Acrobat, the risks are greater due to the vendor’s success. The same Trusteer study found that more than 90 percent of the total number of users run some version of Flash while 99 percent run Acrobat or Reader applications.

As Motwani notes, these two factors—Adobe’s high market penetration and users’ failure to regularly patch their systems—not only raise the number of systems that can potentially be affected. It also means that organizations face the added burden of testing each patch for stability and/or performance issues and of rolling it out in a phased manner.

Solutions and Best Practices

Consumers and small businesses will benefit most by applying any Adobe patch as soon as it is released. Both Flash and Acrobat products now include standard auto-update features that can be scheduled to check for updates on a regular basis.

Trend Micro OfficeScan™ enterprise users with the Intrusion Detection Firewall (IDF) plug-in helps protect against threats of this nature, thus providing protection until system administrators deem it acceptable to roll out relevant patches.

TrendLabs Web content security analysts recently received spammed messages (see Figure 1) purporting to come from the Bank of Nevada. At first, the attack seems just like any other common phishing attack. However, users who are tricked into clicking the URL embedded in the spammed messages will be redirected to a fake Bank of Nevada home page (see Figure 2).

After a second or two, users will again be redirected to the following malicious adult site.

At present, TrendLabs engineers have identified 29 unique domains related to this phishing attack. Note, however, that the cybercriminals behind this attack used more than 1,000 URLs and spammed messages.

The Bank of Nevada, in its home page, has also stated its knowledge of this phishing attack (see Figure 5) and has issued its own statement on its site to protect its online banking customers (see Figure 6).

Trend Micro™ Smart Protection Network™ protects product users from this attack by preventing the spammed messages from reaching users’ inboxes via the email reputation service and by blocking access to malicious sites and domains via the Web reputation service.

Non-Trend Micro product users can also stay protected by using eMail ID by avoiding fake messages from reaching their inboxes. It also helps users quickly find legitimate messages quickly.

A new Twitter worm is making the rounds. If you receive a direct message from a “friend” that contains the following message:

“This you????”

It is likely malicious. Clicking the link, http://twitter.login.{BLOCKED}home.org/login/, will redirect you to a subpage of the said domain. You will then be prompted to log in to your Twitter account.

Note how closely the fake login page duplicates Twitter’s actual login page:

Once you log in, your credentials will be stolen and all of your followers will receive a direct message from you with a link to the same site, allowing the worm to further propagate. Doubtlessly, at some point in the future, the cybercriminals behind this attack will use the same stolen credentials to send out other malicious content from a huge number of compromised Twitter accounts.

So remember, think before you click! For more great tips and tricks with regard to social networking, you may read this.

Trend Micro™ Smart Protection Network™ protects product users from this kind of attack by blocking user access to the malicious domain and other related sites.