Skip to content

Adobe fans – get ready for the patch

March 22, 2011

Adobe fans – get ready for the patch but watch out for the scams.

Don’t pay for free software. You’re giving scammers money and undermining the reputation of the free software.

Amplify’d from nakedsecurity.sophos.com

Adobe fans – get ready for the patch but watch out for the scams

Adobe has been in the news this week after alerting Flash, Acrobat and Reader users about a forthcoming out-of-band patch for its products.

By wrapping a Flash file in an Excel spreadsheet, potential attackers have demonstrated a remotely-exploitable vulnerability.

(The attack doesn’t seem to be in-the-wild, and the exploit files I’ve heard of seem to rely on a sequence of already-known and already-detectable malicious operations, so there is no cause for alarm. But do look out for the Flash patches when Adobe publish them next week.)

One of the side-stories to this Flash-in-Excel risk is the suggestion that the creators of the exploit chose Excel as the container, instead of the more common PDF, because the exploit couldn’t be made to work on computers running Adobe Reader X.

The good news, says Adobe proudly, is that the new Adobe X security sandbox would prevent this attack. On Windows, anyway. Mac and Linux users aren’t sandboxed yet.

The bad news is that any broadly-publicised good news about product Y is easily exploited by scammers. If people are positive about Y, and a new version of Y is being talked about in the same breath, then scammers rush to offer you Y, but under false pretences.

And that’s just what Naked Security reader Wez reported to us today. He received an email offering him the very latest releases of the amazing Acrobat X:

The email explicitly claimed to come from Adobe in Ontario:

It didn’t, of course. This scam is similar to a Fake Anti-Virus (FakeAV) ripoff, except that the hokum product is a program to process PDF files.

Like FakeAV, the site is very thin and shallow, consistingly of little more than a home page, a generic “privacy policy” which gives no company information at all, and a range of download options that all lead to the same page:

The next page, of course, is where you pay:

Who knows what you’ll get? You certainly don’t get a download link if you don’t pay, so there’s no evaluation period for this product. But if you do pay, you’re promised – for two days only – a FREE GIFT!!!

Guess what? The free gift software you’re being offered is OpenOffice. It really is free. Always. In fact, you can download it free right now from the openoffice.org website.

It’s no big leap to assume, in fact, that the whole deal you are being offered is OpenOffice. After all, OpenOffice itself lets you edit and create PDFs. In that case, you’d be buying OpenOffice and getting it for free at the same time.

Don’t pay for free software. You’re giving scammers money and undermining the reputation of the free software.

About the author

Paul Ducklin is Sophos’s Head of Technology, Asia Pacific. He won the inaugural AusCERT Director’s Award for Individual Excellence in Computer Security in 2009. (Try saying that quickly.)
Email him in the Sydney office or follow him on Twitter at @duckblog.

Read more at nakedsecurity.sophos.com

 

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: