Defcon talk: 0-day, gh0stnet and the Adobe JBIG2Decode disclosure debalce – Steven Adair
This talk gave an insight into how Steven Adair and his coworker Matt Richard found out about an actively abused 0-day exploit in Adobe Acrobat and the how responsible disclosure got it in a mess.
Their investigation of this specific vulnerability was triggered by an Adobe advisory which discussed the vulnerability without much detail, but mentioned the name the command and control server. Analyzing their malicious PDF samples they found this server in a malicious sample from a bit earlier and they already had the server name in their DNS monitor.
By analyzing the samples they had, they found the vulnerability exploited in them (JBIG2Decode) and started looking for matching samples.
When they informed Adobe, because the was no advisory, Adobe stated that they were aware.
When they found that the attack was not long just used in limited targetted attacks, but in stead the attack count was going up, they decided to do a partial disclosure on shadowserver.org blog. After the partial disclosure, Adobe released an advisory that told people it would be fixed in just over a month.
A few days later a PoC turns up on Milw0rm, which got turned into a weaponized exploit later.
All in all the talk gave quite a bit of insight into lifecycle of mallware.
Steven Adair can be contacte via Steven@schadowserver.com or on twitter as @stevenadair
