February 22, 2012

You are here: Home / Archives for Adobe

Adobe Fixes Critical Vulnerabilities and Adds JavaScript Whitelisting to Adobe Reader and Acrobat

January 11, 2012 By

(LiveHacking.Com) – Adobe has released updates for Adobe Reader and Adobe Acrobat to address multiple critical vulnerabilities including the zero-day Universal 3D (U3D) processing bug found last month. If exploited,  these vulnerabilities would allow a hacker to create a denial-of-service condition or take control of the affected system.

Details of the Critical fixes are:

  • Resolves a memory corruption vulnerability that could lead to code execution (CVE-2011-4370).
  • Resolves a heap corruption vulnerability that could lead to code execution (CVE-2011-4371).
  • Resolves a memory corruption vulnerability that could lead to code execution (CVE-2011-4372).
  • Resolves a memory corruption vulnerability that could lead to code execution (CVE-2011-4373).
  • These updates include fixes for CVE-2011-2462 and CVE-2011-4369, previously addressed in Adobe Reader and Acrobat 9.x for Windows as referenced in Security Bulletin APSB11-30.

It is also worth noting that these updates also include the Adobe Flash Player update as noted in Security Bulletin APSB11-28.

JavaScript whitelisting
Adobe also added a new feature to Adobe Reader and Acrobat X (10.1.2) and 9.5 called Javascript whitelisting. In previous versions of Reader and Acrobat, administrators could disable the execution of JavaScript embedded in PDF files, to protect against PDF files containing malicious Javascript. However such an arbitrary control  breaks PDF-based solution workflows that rely on forms and JavaScript. In the new versions execution  of JavaScript in PDF files is now based on document trust. If a document is trusted, JavaScript execution will be allowed; but if it is untrusted, Adobe Reader and Acrobat will prevent all JavaScript execution. For more detail see Adobe’s blog post.

Affect versions

  • Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.4.7 and earlier 9.x versions for Windows
  • Adobe Reader 9.4.6 and earlier 9.x versions for Macintosh
  • Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.4.7 and earlier 9.x versions for Windows
  • Acrobat 9.4.6 and earlier 9.x versions for Macintosh

Adobe recommends users of Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1.2). For users of Adobe Reader 9.4.7 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader X (10.1.2), Adobe has made available the update Adobe Reader 9.5. The next quarterly security updates for Adobe Reader and Acrobat are currently scheduled for April 10, 2012.

Filed Under: Adobe, Adobe, News, Vulnerability Tagged With: , , ,

Adobe Reader Zero-day Vulnerability Patch Coming Today?

December 16, 2011 By

(LiveHacking.Com) - Ten days ago Adobe published a security advisory for Adobe Reader and Acrobat detailing a “critical” zero-day vulnerability that was already being actively exploited on the Internet, specifically against Adobe Reader 9.x on Windows.

The vulnerability is present in Adobe Reader and Adobe Acrobat X and 9.x, however Reader X and Acrobat X users can protect themselves against it by using Protected View / Mode. However there is no work around for Adobe Reader 9.x. Therefore Adobe promised a new release of Adobe Reader and Adobe Acrobat  9.x to fix the problem. This update is expected today.

According to Brad Arkin, the Senior Director for Product Security and Privacy at Adobe, the rationale behind releasing a hot fix only for Adobe Reader and Acrobat 9 on Windows is that “this is the version and platform currently being targeted.”

Soon after Adobe published details of the vulnerability, researchers at Symantec released details of attacks seen in the wild saying that the “critical vulnerability has recently been seen exploited in the wild in targeted attack emails sent on November 1st and 5th. This attack leverages the zero-day vulnerability in order to infect target computers with Backdoor.Sykipot.”

To exploit the zero-day vulnerability the attackers sent out emails with a specially crafted PDF attachment. This PDF uses a bug in Adobe’s Universal 3D (U3D) processing to cause a memory corruption and deliver its payload. News reports suggest that the emails targeted defense contractors, however companies in the Telecoms, Wholesale, and computer hardware industries have also been targeted.

Adobe Reader X and Adobe Acrobat X users should verify that they are using Protected View / Mode:

  • To verify Protected View for Acrobat X is enabled, go to: Edit >Preferences > Security (Enhanced) and ensure “Files from potentially unsafe locations” or “All files” with “Enable Enhanced Security” are checked.
  • To verify Protected Mode for Adobe Reader X is enabled, go to: Edit >Preferences >General and verify that “Enable Protected Mode at startup” is checked.
Filed Under: Adobe, Adobe, Vulnerability Tagged With: , , ,

Adobe Acrobat has Critical Zero-Day Vulnerability

December 7, 2011 By

(LiveHacking.Com) - Adobe has published a security advisory for Adobe Reader and Acrobat detailing a “critical” vulnerability which when exploited can cause a crash and potentially allow an attacker to take control of the affected system. There are also reports that this vulnerability is being actively exploited on the Internet, specifically against Adobe Reader 9.x on Windows.

The vulnerability, which affects Adobe Acrobat X and Adobe Reader X and earlier versions for Windows and Macintosh, and Adobe Reader 9.x versions for UNIX, is in the Universal 3D (U3D) processing. U3D is a compressed file format standard for 3D computer graphics data which is natively supported by PDF. A U3D memory corruption causes the vulnerability and can allow an attacker to take control of the affected system.

Adobe Reader X using Protected Mode and Adobe Acrobat X using Protected View are not vulnerable. Therefore Adobe will release a fix for Adobe Reader 9.x and Acrobat 9.x for Windows no later than the week of December 12, 2011. However, Adobe Reader X and Adobe Acrobat X will be updated in the next quarterly security update which is currently scheduled for January 10, 2012 when the Mac and UNIX versions will also be updated.

According to Brad Arkin, the Senior Director for Product Security and Privacy at Adobe, the rationale behind releasing a hot fix only for Adobe Reader and Acrobat 9.4.6 on Windows is that “this is the version and platform currently being targeted.”

“All real-world attack activity, both in this instance and historically, is limited to Adobe Reader on Windows. We have not received any reports to date of malicious PDFs being used to exploit Adobe Reader or Acrobat for Macintosh or UNIX for this CVE (or any other CVE)” he wrote.

It is therefore essential that Adobe Reader X and Adobe Acrobat X users verify that they are using Protected View / Mode.

  • To verify Protected View for Acrobat X is enabled, go to: Edit >Preferences > Security (Enhanced) and ensure “Files from potentially unsafe locations” or “All files” with “Enable Enhanced Security” are checked.
  • To verify Protected Mode for Adobe Reader X is enabled, go to: Edit >Preferences >General and verify that “Enable Protected Mode at startup” is checked.
Filed Under: Adobe, Adobe, Vulnerability Tagged With: , ,

Adobe Fixes Cross-site Scripting Vulnerability in Flex SDK

December 2, 2011 By

(LiveHacking.Com) - Adobe has published a security advisory about an “important” vulnerability in the Adobe Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions on the Windows, OS X and Linux. As a result of this vulnerability applications built with the Flex SDK could be open to cross-site scripting attacks.

Adobe are recommending that developers using Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions update their software, verify whether any SWF files in their applications are vulnerable, and update any vulnerable SWF files using these instructions.

Which applications are vulnerable?

  • All web-based (not AIR-based) Flex applications built using any release of Flex 3.x (including 3.0, 3.0.1, 3.1, 3.2, 3.3, 3.4, 3.4.1, 3.5, 3.5A, and 3.6) are vulnerable.
  • Web-based (not AIR-based) Flex applications built using any release of Flex 4.x (including 4.0, 4.1, 4.5, and 4.5.1) that were compiled using static linkage of the Flex libraries rather than RSL (runtime shared library) linkage are vulnerable, except in certain cases that involve the use of embedded fonts.
  • Most Flex 4.x applications that were compiled in the default way (specifically, using RSL linkage) will not be vulnerable, but there are rare cases in which they may be vulnerable.
  • Flex applications built using any release of Flex prior to 3.0 are not vulnerable.
  • Flex applications that are AIR-based (not web-based) are not vulnerable.
  • SWF files that were created without using Flex (such as files created in Adobe Flash Professional) are not vulnerable.
Filed Under: Adobe, Adobe, Vulnerability Tagged With: , , ,

Google Releases Chrome 15.0.874.120 With a new Version of Flash Plus Various Security Fixes

November 11, 2011 By

Google has released Chrome 15.0.874.120 for Windows, Mac and  Linux with a new version of Flash. This new version of Adobe Flash player fixes several memory corruption vulnerabilities that could lead to arbitrary code execution.

Google paid out $2,000 in rewards for this version with the all of the monet going to Aki Helin of OUSPG:

  • [$500] [100465] High CVE-2011-3892: Double free in Theora decoder. Credit to Aki Helin of OUSPG.
  • [$500] [100492] [100543] Medium CVE-2011-3893: Out of bounds reads in MKV and Vorbis media handlers. Credit to Aki Helin of OUSPG.
  • [101172] High CVE-2011-3894: Memory corruption regression in VP8 decoding. Credit to Andrew Scherkus of the Chromium development community.
  • [$1000] [101458] High CVE-2011-3895: Heap overflow in Vorbis decoder. Credit to Aki Helin of OUSPG.
  • [101624] High CVE-2011-3896: Buffer overflow in shader variable mapping. Credit to Ken “strcpy” Russell of the Chromium development community.
  • [102242] High CVE-2011-3897: Use-after-free in editing. Credit to pa_kt reported through ZDI (ZDI-CAN-1416).
  • [102461] Low CVE-2011-3898: Failure to ask for permission to run applets in JRE7. Credit to Google Chrome Security Team (Chris Evans).

Note that the referenced bugs are kept private by Google until a majority of Chrome users have updated.

Google also fixed the following bugs:

  • Updated V8 – 3.5.10.23
  • Fix small print sizing issues (issues: 10218682472102154)
  • Fixed the “certificate is not yet valid” error for server certificate issued by a VeriSign intermediate CA. (issue 101555) [OS X only]
Filed Under: Adobe, Chrome, Google, Vulnerability Tagged With: , , , ,

Microsoft Plugs TCP/IP Hole While Adobe Fixes Critical Vulnerabilities in Shockwave

November 9, 2011 By

(LiveHacking.Com) - Microsoft has issued four security bulletins to address four vulnerabilities in its Windows operating system including a ‘Critical’ vulnerability in TCP/IP.

The networking flaw, which was reported privately to Microsoft, could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system. Successful exploitation of MS11-083 would let an attacker run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The flaw exists in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 but not in Windows XP or Windows Server 2003.

The remaining three bulletins are as follows:

MS11-085Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704) – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .eml or .wcinv file) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Windows Mail or Windows Meeting Space could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file (such as an .eml or .wcinv file) from this location that is then loaded by a vulnerable application.

MS11-086< – Vulnerability in Active Directory Could Allow Elevation of Privilege (2630837) – This security update resolves a privately reported vulnerability in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). The vulnerability could allow elevation of privilege if Active Directory is configured to use LDAP over SSL (LDAPS) and an attacker acquires a revoked certificate that is associated with a valid domain account and then uses that revoked certificate to authenticate to the Active Directory domain. By default, Active Directory is not configured to use LDAP over SSL.

MS11-084Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657) – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a user opens a specially crafted TrueType font file as an e-mail attachment or navigates to a network share or WebDAV location containing a specially crafted TrueType font file. For an attack to be successful, a user must visit the untrusted remote file system location or WebDAV share containing the specially crafted TrueType font file, or open the file as an e-mail attachment. In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to persuade users to do so, typically by getting them to click a link in an e-mail message or Instant Messenger message.

Adobe Shockwave Player

Whilst Microsoft was busy fixing its networking code, Adobe posted a security bulletin about its Shockwave Player.

Critical vulnerabilities exist in Adobe Shockwave Player 11.6.1.629 and earlier versions on the Windows and OS X. Successful exploitation would let an attacker run arbitrary code.

A new version of Shockwave Player is available which:

  • Resolves a memory corruption vulnerability in the DIRapi library that could lead to code execution (CVE-2011-2446).
  • Fixes a memory corruption vulnerability that could lead to code execution (CVE-2011-2447).
  • Resolves a memory corruption vulnerability in the DIRApi library that could lead to code execution (CVE-2011-2448).
  • Fixes multiple potential memory corruption vulnerabilities in the TextXtra module that could lead to code execution (CVE-2011-2449).
Filed Under: Adobe, Adobe, Microsoft, Microsoft, Vulnerability Tagged With: , , , ,

Adobe Change Flash Player Settings Manager To Stop Clickjacking

October 21, 2011 By

(LiveHacking.Com) - Adobe has made changes to the Flash Player Settings Manager SWF file hosted on the Adobe website in response to a vulnerability that allowed any website to turn on your webcam and microphone without your knowledge or consent.

Feross Aboukhadijeh, a Stanford University computer science student, found that a maliciously crafted web page could use the vulnerability for a “clickjacking” attack which resulted in the webcam and microphone being activated and so allowing a remote attacker to spy on the victim.

The way the attack works is to load the Flash Player Settings Manager SWF file into an iFrame and then making it invisible using CSS. Then, the unsuspecting user plays a little game and unwittingly enable their webcam.

The fix applied by Adobe requires no user action or Flash Player product update.

Filed Under: Adobe, Adobe, Vulnerability Tagged With: , , , ,

Flash 11 to Add New Security Features

September 23, 2011 By

(LiveHacking.Com) - Adobe has announced that Flash Player 11 will be released in October and will contain lots of new  features for gaming, media and data-driven applications. It will also include several important security features.

The first major new feature Adobe are adding is support for SSL socket connections, which will make it easier for developers to protect the data they stream over the Flash Player raw socket connections.

Flash 11 will also include a new secure random number generator. Previously only a simple random number generator  was provided, it was OK for games, but it wasn’t good enough for cryptography. The new random number generator API hooks the cryptographic provider of the host device, such as the CryptGenRandom function in Microsoft CAPI on Windows, for generating the random number. The native OS cryptographic providers have better sources of entropy and have been peer reviewed by industry experts.

Flash 11 will have full native 64-bit support for 64-bit browsers on Linux, Mac OS, and Windows, as a result when Flash is used with a 64-bit browser that supports address space layout randomization (ASLR), users will be protected by full 64-bit ASLR.

Filed Under: Adobe Tagged With: , , ,

New Version of Flash Coming to Fix Zero-day Vulnerability – Google Releases Updated Chrome First

September 21, 2011 By

(LiveHacking.Com) - Adobe will release an out of cycle update to Flash to address critical security issues. The update will also fix a universal cross-site scripting issue that is reportedly being exploited in the wild.

Although not all the details are available yet, it is likely (since this is an out of cycle release) that this vulnerability, if exploited, would allow malicious native-code to execute, potentially without a user being aware.

Google is one step ahead of Adobe and has released a new version of its Chrome web browser, which has a built-in version of Flash, to address what it calls “a zero-day vulnerability” in Flash Player:

The Beta and Stable channels have been updated to 14.0.835.186 for Windows, Mac, Linux, and Chrome Frame. This release includes an update to Flash Player that addresses a zero-day vulnerability.

Filed Under: Adobe, Adobe, Chrome, Chrome, Flash Player, Vulnerability Tagged With: , , , ,

Adobe Updates Acrobat to Fix Security Problems; Also Revokes Trust in DigiNotar

September 16, 2011 By

(LiveHacking.Com) - Adobe has released an update to Acrobat and Acrobat Reader to fix various Critical vulnerabilities. Affected versions are Adobe Reader X (10.1) and Adobe Acrobat X (10.1) including earlier versions for Windows and OS X, Adobe Reader 9.4.2 and earlier versions for UNIX. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.

The specific problems fixed are:

  • A local privilege-escalation vulnerability (Adobe Reader X (10.x) on Windows only) (CVE-2011-1353).
  • A security bypass vulnerability that could lead to code execution (CVE-2011-2431).
  • A buffer overflow vulnerability in the U3D TIFF Resource that could lead to code execution (CVE-2011-2432).
  • Heap overflows that could lead to code execution (CVE-2011-2433, CVE-2011-2434).
  • A buffer overflow vulnerability that could lead to code execution (CVE-2011-2435).
  • A heap overflow vulnerability in the Adobe image parsing library that could lead to code execution (CVE-2011-2436).
  • Three stack overflow vulnerabilities in the Adobe image parsing library that could lead to code execution (CVE-2011-2438).
  • A memory leakage condition vulnerability that could lead to code execution (CVE-2011-2439).
  • A use-after-free vulnerability that could lead to code execution (CVE-2011-2440).
  • Two stack overflow vulnerabilities in the CoolType.dll library that could lead to code execution (CVE-2011-2441).
  • A logic error vulnerability that could lead to code execution (CVE-2011-2442).

Simultaneously Adobe removed the DigiNotar root certificate from its trust list:

Adobe takes the security and trust of our users very seriously. Based on the nature of the breach, Adobe is now taking the action to remove the DigiNotar Qualified CA from the Adobe Approved Trust List.

This update has been published for Adobe Reader and Acrobat X which include a trust list that Adobe can dynamically manage without requiring a product update/patch.  A future product update of Adobe Reader and Acrobat version 9.x will also enable dynamic updates of the AATL.

Filed Under: Adobe, Adobe, Vulnerability Tagged With: , , , ,
« Older Posts