Published: 22/02/2010 Updated: 19/09/2017
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
VMScore: 990
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

Unspecified vulnerability in Adobe Reader and Acrobat 8.x prior to 8.2.1 and 9.x prior to 9.3.1 allows malicious users to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors.

Vulnerability Trend

Vendor Advisories

Synopsis Critical: acroread security and bug fix update Type/Severity Security Advisory: Critical Topic Updated acroread packages that fix two security issues and a bug are nowavailable for Red Hat Enterprise Linux 4 Extras and Red Hat EnterpriseLinux 5 SupplementaryThis update has been rated as having cri ...


## # $Id: adobe_libtiffrb 10477 2010-09-25 11:59:02Z mc $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # Framework web site for more information on licensing and terms of use # metasploitcom/framework/ ## require 'msf/core' require 'zl ...
## # $Id: mobilemail_libtiffrb 15950 2012-10-09 18:31:08Z rapid7 $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # web site for more information on licensing and terms of use # metasploitcom/ ## require 'msf/core' class Metasploit3 & ...
__doc__=''' Title: Adobe PDF LibTiff Integer Overflow Code Execution Product: Adobe Acrobat Reader Version: <=830, <=930 CVE: 2010-0188 Author: villy (villys777 at gmailcom) Site: bugix-securityblogspotcom/ Tested : succesfully tested on Adobe Reader 91/92/93 OS Windows XP(SP2,SP3) ------------------------------------------ ...
## # $Id: safari_libtiffrb 15950 2012-10-09 18:31:08Z rapid7 $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # web site for more information on licensing and terms of use # metasploitcom/ ## require 'msf/core' class Metasploit3 < ...

Metasploit Modules

Adobe Acrobat Bundled LibTIFF Integer Overflow

This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions 8.0 through 8.2 and 9.0 through 9.3.

msf > use exploit/windows/fileformat/adobe_libtiff
      msf exploit(adobe_libtiff) > show targets
      msf exploit(adobe_libtiff) > set TARGET <target-id>
      msf exploit(adobe_libtiff) > show options
            ...show and set options...
      msf exploit(adobe_libtiff) > exploit

Github Repositories

Source Code Obfuscation And Binary Obfuscation, Multiple Languages And Multiple Platforms. Including 250+ Tools and 600+ Posts

所有收集类项目 Obfuscate 源码混淆和二进制混淆,包括多种语言和多个平台。250+工具和600+文章 English Version 目录 C/C++ advobfuscator -&gt; (1)工具 (1)文章 (5) 工具 dotNet de4dot -&gt; (2)工具 (2)文章 obfuscar -&gt; (1)工具 confuserex -&gt; (3)工具 (6)文章 (7) 工具 (10) 文章 PowerShell invoke-ob

Recent Articles

Investigation Report for the September 2014 Equation malware detection incident in the US
Securelist • Kaspersky Lab • 16 Nov 2017

In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were tr...

Kaspersky Security Bulletin. Spam in 2014
Securelist • Maria Vergelis Tatyana Shcherbakova Nadezhda Demidova • 12 Mar 2015

According to Kaspersky Lab, in 2014
The popularity of mobile devices continues to grow, and this is affecting spam in email traffic: the number of advertising services that will spread spam on mobile devices is increasing, as are the number of offers addressed to the spammers who profit from these mailings. The popularity of mobile devices also makes them a valid vector for cyber-attack: email traffic now includes malicious imitations of emails sent from smartphones as well as fake notific...

Spam and phishing in Q2 2014
Securelist • Darya Gudkova Nadezhda Demidova • 12 Aug 2014

PDF Version
On 1 July, new anti-spam legislation (CASL) came into effect in Canada. The new law covers commercial communications including email, messages on social networks and instant messaging services as well as SMS. Now, before a company starts sending emails, it must get the recipients’ consent. Canadian companies appear to have taken the new law seriously: in the second quarter, we saw a lot emails from Canadian companies asking users for permission to send their mailings. A...

Spam in May 2014
Securelist • Tatyana Shcherbakova Maria Vergelis • 30 Jun 2014

In the run-up to the summer, spammers offered their potential customers seedlings and seeds for gardening. In addition, English-language festive spam in May was dedicated to Mother’s Day – the attackers sent out adverts offering flowers and candies.
As usual, the spammers were very busy in the run-up to the Mother’s Day celebration in May, sending out adverts for flowers and candies ahead of the holiday. To get the attention of the recipient, the subject of the email contained the na...

Poison PDF pusher released to public
The Register • Darren Pauli • 12 Jun 2014

A quick download, a couple of clicks, a naughty URL and you're in the business of crime

Attacking enterprises just got easier with the development of an idiot-friendly tool that spits out booby-trapped PDFs with a few clicks.
The tool weaves existing exploits into PDFs, allowing attacks against Adobe Reader and Acrobat versions 8.x prior to 8.2.1 and 9.x before 9.3.1.
Users can insert their own URL pointers into the program, which then spits out an exploited PDF. Microsoft's free anti-virus had blocked the attack (CVE-2010-0188) in a test and it was likely other platfor...

Attacks on New Microsoft Zero Day Using Multi-Stage Malware
Threatpost • Dennis Fisher • 06 Nov 2013

Attackers exploiting the Microsoft Windows and Office zero day revealed yesterday are using an exploit that includes a malicious RAR file as well as a fake Office document as the lure, and are installing a wide variety of malicious components on newly infected systems. The attacks seen thus far are mainly centered in Pakistan.
The CVE-2013-3906 vulnerability, disclosed Tuesday by Microsoft, is a remote code execution flaw that involves the way that Windows and Office handle some TIFF files...

NSA Whistleblower Article Redirects to Malware
Threatpost • Michael Mimoso • 10 Jun 2013

Update: Aaron Harison, president of the Center for American Freedom, told Threatpost this morning that the issue has been resolved and the site is no longer serving malware. 
Hackers have latched on to the NSA surveillance story—literally.
A news story on the outing of whistleblower Edward Snowden posted to the Washington Free Beacon is serving malware redirecting visitors to a malicious site where more malware awaits. The Free Beacon site remains infected, according to Invincea ...

D.C. Media Sites Hacked, Serving Fake AV
Threatpost • Michael Mimoso • 07 May 2013

Websites belonging to a number of Washington, D.C.-area media outlets have been compromised in a series of opportunistic attacks with criminals using a watering-hole tactic to spread scareware, or phony antivirus software.
Popular D.C. radio station WTOP, sister station Federal News Radio, and the site of technology blogger John Dvorak, were infected with exploits targeting third-party Java or Adobe browser plug-ins. The exploits redirect site visitors to an exploit kit serving a scareware...

Reminder: be careful opening invoices on the 21st March
Securelist • Ben Godwood • 15 Mar 2013

On March 4th we spotted a large number of unusual emails being blocked by our Linux Mail Security product. The emails all contained the same PDF attachment (MD5: 97b720519aefa00da58026f03d818251) but were being sent from many different source addresses.
The emails were written in German and most were sent from German IP addresses. Below is a map showing the distribution of addresses:

The computer names referenced in the mail headers were often of the form Andreas-PC or Kerstin...

Bots, Zeus, Web Exploits: the Most Potent Threats of 2012
Threatpost • Brian Donohue • 07 Feb 2013

Every year it seems that security-related news advances further from its roots in national security circles, IT departments, and the antivirus industry into the mainstream consciousness. From July to the end of year was no exception. However, despite a handful of flashy security stories, F-Secure claims that the second half of 2012 was really about things that rarely (if ever) come up in local and national news: botnets, ZeroAccess in particular, Java and other Web exploits, and the ubiquitous Z...

A Targeted Attack Against The Syrian Ministry of Foreign Affairs
Securelist • GReAT • 30 Nov 2012

Several days ago, a number of leaked documents from the Syrian Ministry of Foreign Affairs were published on Par:AnoIA, a new wikileaks-style site managed by the Anonymous collective.
One of our users notified us of a suspicious document in the archive which is detected by our anti-malware products as Exploit.JS.Pdfka.ffw. He was also kind enough to send us a copy of the e-mail for analysis.
Weve checked the e-mail, which contains a PDF file with an exploit (CVE-2010-0188, see http:/...

Fake Facebook Alert Emails Link to Black Hole Sites
Threatpost • Brian Donohue • 27 Nov 2012

Attackers are sending spoofed “pending notification” emails to Facebook users, claiming that the recipients overlooked some alert on the world’s largest social network, and providing them with a link that supposedly leads to the allegedly neglected content but which, in reality, funnels users to a series of compromised websites hosting the Black Hole Exploit Kit, according to researcher Dancho Danchev.
The malicious email, which can be seen below, is crafted to and does a...

Fake Payroll Confirmation Email Leads to Black Hole Exploit Kit
Threatpost • Brian Donohue • 19 Oct 2012

Criminal hackers launched an attack campaign earlier this week in which they sent a slew of emails purporting to come from the financial software developer Intuit. The emails contained links that led to sites hosting the Blackhole exploit kit in an apparent attempt to infect the machines of corporate users.
In a Webroot analysis, Dancho Danchev explains that the two separate campaigns imitated Intuit Payroll’s direct deposit system in hopes that their recipients would follow ...

Fake Automated Craigslist Email Notifications Link to Blackhole Exploit Kit
Threatpost • Brian Donohue • 07 Jun 2012

UPDATE: A big wave of emails purporting to be Craigslist notifications but containing links to websites hosting the Black Hole exploit kit hit the Internet yesterday, a day that already was filled with drama surrounding the LinkedIn password dump.
The malicious emails, 150,000 of which were caught by Websense Security Lab’s Cloud Email Security portal yesterday, attempt to convince recipients that “FURTHER ACTION IS REQUIRED TO COMPLETE [THEIR] REQUEST!!!” The emails g...

New Exploit Kit RedKit Discovered in Wild
Threatpost • Brian Donohue • 07 May 2012

A new exploit kit hit the scene recently, and according to Arseny Levin of Spiderlabs, the RedKit exploit kit contains an API that generates new host-site URLs every hour.
The authors of the kit haven’t named it, so Levin and Spiderlabs simply chose to call it RedKit in reference to its color scheme.
RedKit’s most salient feature is the API that creates a fresh attack URL every hour. This feature will make it incredibly difficult to reliably block RedKit infected site...

Exploit Kit plays with smart redirection (amended)
welivesecurity • Aleksandr Matrosov • 05 Apr 2012

This week we have detected another interesting attack vector. This time cybercriminals are using an interesting technique for hiding malicious Javascripts and employ implicit iFrame injection. At this moment we are tracking hundreds of infected legitimate web sites in the Russian internet segment using this technique of infection. Let’s analyze this attack method step by step. (Since original publication there have been several updates to this story and they are at the bottom of this page.)

Carberp: It’s Not Over Yet
Threatpost • Vyacheslav Zakorzhevsky • 27 Mar 2012

On 20 March, Russian law enforcement agencies announced the arrest of a cybercriminal gang involved in stealing money using the Carberp Trojan. This is very good news, but unfortunately does not mark the end of the Carberp story.
Evidently, those arrested were just one of the criminal gangs using the Trojan. At the same time, those who actually developed Carberp are still at large, openly selling the Trojan on cybercriminal forums.
Here is a recent offer for the ‘multif...

Carberp: it’s not over yet
Securelist • Vyacheslav Zakorzhevsky • 26 Mar 2012

On 20 March, Russian law enforcement agencies announced the arrest of a cybercriminal gang involved in stealing money using the Carberp Trojan. This is very good news, but unfortunately does not mark the end of the Carberp story.
Evidently, those arrested were just one of the criminal gangs using the Trojan. At the same time, those who actually developed Carberp are still at large, openly selling the Trojan on cybercriminal forums.
Here is a recent offer for the ‘multifunctional ba...

Mass WordPress Compromise Fuels CRIDEX Worm Outbreak
Threatpost • Brian Donohue • 22 Mar 2012

There are a number of compromised sites on the popular blogging platform, WordPress, which, according to a Trend Labs report, are actively infecting users with the CRIDEX worm.
The infections are part of a social engineering campaign that lures users with emails purporting to come from trusted sources like LinkedIn and the Better Business Bureau, Trend Labs warned.
E-mails purporting to come from the Better Business Bureau informs its recipients of a (non-existent) compla...

Waves of Attacks Target Adobe Reader Bug From 2010
Threatpost • Dennis Fisher • 22 Feb 2012

Thanks to the wonderful tendency of users not to update their applications, old vulnerabilities never die, they just get overtaken by newer and shinier ones. The attackers know this well, and every once in a while they serve up a nice reminder to the rest of us. The most recent one of these is a string of attacks against an Adobe Reader vulnerability from 2010.
The vulnerability, which is more than two years old, is a flaw in Reader and Acrobat that can be exploited remotely. A...

New Exploit Targeting Java Vulnerability Found in BlackHole Arsenal
Securelist • Vyacheslav Zakorzhevsky • 13 Dec 2011

On 3 December, we noted a rapid growth in the number of detections for exploits targeting the vulnerability CVE-2011-3544 in Java virtual machine. The vulnerability was published on 18 October, but malicious users have only recently begun to make active use of it. It can be used by exploits in drive-by attacks to download and launch malicious programs.

Number of unique detections of Exploit.Java.CVE-2011-3544
According to KSN data, most of the exploits targeting CVE-2011-3544 ...

Monthly Malware Statistics July 2010
Securelist • Vyacheslav Zakorzhevsky • 02 Aug 2010

The first Top Twenty list below shows malware, adware and potentially unwanted programs that were detected and neutralized by the on-access scanner when they were accessed for the first time.

The first half of this list remained unchanged from last month, with viruses such as Sality and Virut and the infamous Kido worm all maintaining their positions. The second half, however, threw up a few surprises with six new entries. Let’s look at each of them in turn.

Zbot and CVE2010-0188
Securelist • Vyacheslav Zakorzhevsky • 28 Jul 2010

I just came across a suspicious PDF file, so I decided to take a deeper look. Once the file was unpacked, I got an xml file with TIFF image. However, the whole thing looked very strange. The whole thing looked very fishy, and ultimately, it turned out that the xml file contained an exploit for CVE-2010-0188.
I thought it was a bit odd that we hadn’t come across files like this before, so I decided to tak a look at stats for this vulnerability:

CVE-2010-0188 exploit statistic...

World-Cup Malware: the Kick-Off
welivesecurity • David Harley • 26 Mar 2010

Looking into their crystal balls (no jokes, please) at the end of 2009, our colleagues in Latin America came up with a prophecy that was later incorporated into a white paper (2010: Cybercrime Coming of Age):
In June 2010, one of the most popular regular sports events, the soccer World Cup, will take place in South Africa. We can expect that this will be a widely exploited topic in social engineering attacks, due to the great interest it will inspire in many users.

Well, we d...

Adobe yet again
Securelist • Eugene Aseev • 15 Mar 2010

Vulnerabilities continue to be detected and successfully exploited in Adobe’s most popular products – Acrobat and Reader.
Some days ago we received an interesting PDF file (detected as Exploit.JS.Pdfka.bui) which contained an exploit for the CVE-2010-0188 vulnerability, which was originally discovered back in February in Acrobat/Reader version 9.3 and earlier.
The first thing that catches the eye is the intentionally malformed TIFF image inside the PDF file.

The vuln...

Recently Patched Adobe PDF Flaw Being ‘Actively Exploited’
Threatpost • Ryan Naraine • 10 Mar 2010

Malicious hackers have pounced on a newly patched Adobe PDF Reader vulnerability to plant Trojan downloaders on tardy Windows users.
According to researchers in Microsoft’s malware protection center, the vulnerability (CVE-2010-0188) was patched less than a month ago, proving that malicious hackers are quick to find fresh targets for malware.
Microsoft’s Marian Radu explains:
While recently analyzing a malicious PDF file, I noticed a vulnerability exploited by ...

Adobe Plugs Critical PDF Code Execution Flaw
Threatpost • Ryan Naraine • 16 Feb 2010

today released an out-of-band security update to patch a pair of gaping
holes that expose hundreds of millions of computer users to remote code
execution attacks.
The vulnerabilities are rated “critical” and affect Adobe Reader and Adobe Acrobat on all platforms — Windows, Mac and Linux.
PDF Reader/Acrobat update falls outside of the company’s scheduled
quarterly patch cycle.  It is not yet clear why Adobe opted for an