Over the past couple months, some advertising networks have been distributing ads that redirect browsers to sites hosting exploits.

Spotify's advertising network was most recently outed (note that it is the third party banner ads rotating through the client's ad frames). Most of the redirections we have been been monitoring have sent users to a variety of servers in the .cc TLD. We have been working with providers to ensure the ads aren't on their networks, but the groups have been active in rotating malvertizing banners through multiple networks.

Vulnerabilities continue to be detected and successfully exploited in Adobe’s most popular products - Acrobat and Reader.

Some days ago we received an interesting PDF file (detected as Exploit.JS.Pdfka.bui) which contained an exploit for the CVE-2010-0188 vulnerability, which was originally discovered back in February in Acrobat/Reader version 9.3 and earlier.

The first thing that catches the eye is the intentionally malformed TIFF image inside the PDF file.

The vulnerability – a buffer overflow – manifests itself when the field containing the image is accessed. The attack is carried out using ‘heap spraying’, a technique popularly used by many exploits on products capable of running JavaScript code, the recent Aurora attack being a good example of this technique in action.

From the look of things Microsoft is starting off slow this year with only one of each in today's release – one bulletin, one advisory and one re-released bulletin. However, there is still no bulletin for Security Advisory 977544 - the Vulnerability in SMB Could Allow Denial of Service. Microsoft says they are still working on an update for this issue and are not aware of any attacks using the exploit code.

The bulletin they did release is MS09-035 Active Template Library (ATL) bulletin after adding Windows Embedded CE 6.0 to the affected product list. This release only affects developers and OEMs building application on top of CE 6 or producing devices that use the operating system.

The last release from Microsoft was a Security Advisory 979267 to increase awareness regarding reports of vulnerabilities in Adobe Flash player 6 which shipped with Windows XP. I would like to mention that Flash 6.0 is a very old version, considering it came with XP, so please update to the latest version of Flash.

Please note that Adobe is releasing APSB10-02 Security Advisory today to resolve critical vulnerabilities being actively exploited in Adobe Reader and Acrobat 9.2 on Windows, Mac, and UNIX.

Even with only one update from Microsoft, I would suggest that everyone installs it as a matter of standard procedure. But I would make the Adobe update my first priority this month.

Recently, vulnerabilities in Adobe products have come to pose a major threat, and the number of infections which they cause overtook those resulting from vulnerabilities in Windows or Internet Explorer long ago.

The latest zero-day vulnerability was identified yesterday and grabbed the attention of AV researchers right way, with PDF files with a marked Chinese connection appearing in the wild.

One of these files was called “Cao Chang-Ching The CPP made eight mistang Urumuqi incident_mm.pdf”. The events of the past few days in the Chinese town of Urumqui, where local residents clashed with police, made the news around the world, so it’s no surprise to see this topic being used to spread malicious programs.

The files didn’t contain the traditional JavaScript exploit, which had been the case with previous PDF vulnerabilities. However, when the PDF file is opened two files called temp.exe and suchost.exe appear in the system: clearly there’s some sort of exploit at work here, and one which will work even on the most recent, patched version of Adobe Reader.

More detailed analysis showed that an SWF object – a flash clip – was inserted into the PDF file. Flash clips are also products of the Adobe company and are watched with Adobe Flash.

Over the last couple of weeks, we've been seeing new modifications of the PDF exploits spread and managed by the El Fiesta toolkit. Among other things, this nasty package targets unpatched Adobe and browser vulnerabilities to download more malicious code onto the victim machine.

A 'nice' feature - for the bad guys, that is - is that Fiesta can be used not just to launch attacks, but to monitor them online. The screenshot below shows data on attacks which have been launched on machines around the world.

El Fiesta got a fair bit of publicity back in September this year. The fact that we're seeing new variants shows there are still a good number of machines with unpatched software out there that malware writers want to get their hands on.