August 29, 2014

Adobe Releases Security Bulletins for Illustrator, Photoshop, Flash Professional and Shockwave Player

(LiveHacking.Com) – Adobe has released security bulletins describing critical vulnerabilities in Illustrator, Photoshop, Flash Professional and Shockwave Player:

Illustrator

Adobe released a security upgrade for Adobe Illustrator CS5.5 and earlier for Windows and Macintosh. This upgrade addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. Adobe is not aware of any attacks exploiting these vulnerabilities against Adobe Illustrator.

Photoshop

Adobe has released a security upgrade for Adobe Photoshop CS5 and earlier for Windows and Macintosh. This upgrade addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. A malicious .TIF file must be opened in Photoshop CS5 and earlier for Windows and Macintosh by the user for an attacker to be able to exploit these vulnerabilities. Adobe is not aware of any attacks exploiting these vulnerabilities against Adobe Photoshop.

Flash Professional

Adobe has released a security upgrade for Adobe Flash Professional CS5.5 (11.5.1.349) and earlier for Windows and Macintosh. This upgrade addresses a vulnerability that could allow an attacker who successfully exploits this vulnerability to take control of the affected system. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Flash Professional.

Shockwave Player

Adobe has released a security update for Adobe Shockwave Player 11.6.4.634 and earlier versions for Windows and Macintosh. This update addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to run malicious code on the affected system.

Adobe Fixes Zero-day Vulnerability in Flash That is Being Exploited in the Wild

(LiveHacking.Com) – Adobe has released a patch to fix a zero-day vulnerability in Flash Player that is being exploited in the wild. According to the security advisory the bug is being exploited in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message. The exploit targets Flash Player on Internet Explorer for Windows only. As a remedy Adobe has released a security update for Windows, Macintosh, Linux and Android.

Details of the exact nature of the vulnerability are not available however it is clear that unpatched versions of Adobe Flash Player allow a remote attacker to execute arbitrary code via a crafted file, related to what is being called an “object confusion vulnerability.”

According to Symantec, the email attachment contains a  document with  “an embedded reference to a malicious Flash file hosted on a remote server. When the Flash file is acquired and opened, it sprays the heap with shellcode and triggers the CVE-2012-0779 exploit. Once the shellcode gains control, it looks for the payload in the original document, decrypts it, drops it to disk, and executes it.” Symantec says that the malware payload is Trojan.Pasam.

The vulnerability affects the following versions:

  • Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh, and Linux operating systems
  • Adobe Flash Player 11.1.115.7 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and 2.x

Windows users are advised to upgrade as soon as possible as the exploit is targeting that platform.

Adobe Releases Security Updates for Adobe Reader X

(LiveHacking.Com) – Adobe has released security updates for Adobe Reader to address vulnerabilities that could cause the application to crash and potentially allow an attacker to take control of the affected system.

The vulnerabilities fixed include:

  • An integer overflow in the True Type Font (TTF) handling that could lead to code execution (CVE-2012-0774).
  • A memory corruption in the JavaScript handling that could lead to code execution (CVE-2012-0775).
  • A security bypass via the Adobe Reader installer that could lead to code execution (CVE-2012-0776).
  • A memory corruption in the JavaScript API that could lead to code execution (CVE-2012-0777) (Macintosh and Linux only).

Affected Versions

  • Adobe Reader X (10.1.2) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.5 and earlier 9.x versions for Windows and Macintosh
  • Adobe Reader 9.4.6 and earlier 9.x versions for Linux
  • Adobe Acrobat X (10.1.2) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.5 and earlier 9.x versions for Windows and Macintosh

The Adobe Reader X (10.1.3) and Adobe Acrobat X (10.1.3) updates also incorporate the Adobe Flash Player updates as noted in Security Bulletins APSB12-03APSB12-05 and APSB12-07.

Adobe Release Security Details for Latest Version of Flash

(LiveHacking.Com) – Over the weekend Google released a new version of its web browser Chrome which, along with security related bug fixes, included a new version of Adobe Flash Player. At the time of its release, Google were ahead of Adobe meaning that the version of Flash Player in Chrome was not yet announced by Adobe. However Adobe has now released details of the security fixes to Flash Player.

Flash Player 11.1.102.63  contains priority 2 updates that address critical vulnerabilities on Windows, Macintosh, Linux,  Android 4.x, and Android 3.x and 2.x. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

Specifically the update fixes a memory corruption vulnerability in Matrix3D that could lead to code execution (CVE-2012-0768) and a resolves integer errors that could lead to information disclosure (CVE-2012-0769).

By marking this update as priority 2 Adobe are recommending that users  install the update within 30 days. This is because there are currently no known exploits and based on previous experience, Adobe do not anticipate exploits are imminent.

AFFECTED SOFTWARE VERSIONS

  • Adobe Flash Player 11.1.102.62 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
  • Adobe Flash Player 11.1.115.6 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.6 and earlier versions for Android 3.x and 2.x

The new version of Flash is available from the Flash Player Download Center. For users who cannot update to Flash Player 11.1.102.63, Adobe has developed a patched version of Flash Player 10.x, Flash Player 10.3.183.16, which can be downloaded here.

 

Adobe Fixes Critical Vulnerabilities and Adds JavaScript Whitelisting to Adobe Reader and Acrobat

(LiveHacking.Com) – Adobe has released updates for Adobe Reader and Adobe Acrobat to address multiple critical vulnerabilities including the zero-day Universal 3D (U3D) processing bug found last month. If exploited,  these vulnerabilities would allow a hacker to create a denial-of-service condition or take control of the affected system.

Details of the Critical fixes are:

  • Resolves a memory corruption vulnerability that could lead to code execution (CVE-2011-4370).
  • Resolves a heap corruption vulnerability that could lead to code execution (CVE-2011-4371).
  • Resolves a memory corruption vulnerability that could lead to code execution (CVE-2011-4372).
  • Resolves a memory corruption vulnerability that could lead to code execution (CVE-2011-4373).
  • These updates include fixes for CVE-2011-2462 and CVE-2011-4369, previously addressed in Adobe Reader and Acrobat 9.x for Windows as referenced in Security Bulletin APSB11-30.

It is also worth noting that these updates also include the Adobe Flash Player update as noted in Security Bulletin APSB11-28.

JavaScript whitelisting
Adobe also added a new feature to Adobe Reader and Acrobat X (10.1.2) and 9.5 called Javascript whitelisting. In previous versions of Reader and Acrobat, administrators could disable the execution of JavaScript embedded in PDF files, to protect against PDF files containing malicious Javascript. However such an arbitrary control  breaks PDF-based solution workflows that rely on forms and JavaScript. In the new versions execution  of JavaScript in PDF files is now based on document trust. If a document is trusted, JavaScript execution will be allowed; but if it is untrusted, Adobe Reader and Acrobat will prevent all JavaScript execution. For more detail see Adobe’s blog post.

Affect versions

  • Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.4.7 and earlier 9.x versions for Windows
  • Adobe Reader 9.4.6 and earlier 9.x versions for Macintosh
  • Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.4.7 and earlier 9.x versions for Windows
  • Acrobat 9.4.6 and earlier 9.x versions for Macintosh

Adobe recommends users of Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1.2). For users of Adobe Reader 9.4.7 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader X (10.1.2), Adobe has made available the update Adobe Reader 9.5. The next quarterly security updates for Adobe Reader and Acrobat are currently scheduled for April 10, 2012.

Adobe Reader Zero-day Vulnerability Patch Coming Today?

(LiveHacking.Com) - Ten days ago Adobe published a security advisory for Adobe Reader and Acrobat detailing a “critical” zero-day vulnerability that was already being actively exploited on the Internet, specifically against Adobe Reader 9.x on Windows.

The vulnerability is present in Adobe Reader and Adobe Acrobat X and 9.x, however Reader X and Acrobat X users can protect themselves against it by using Protected View / Mode. However there is no work around for Adobe Reader 9.x. Therefore Adobe promised a new release of Adobe Reader and Adobe Acrobat  9.x to fix the problem. This update is expected today.

According to Brad Arkin, the Senior Director for Product Security and Privacy at Adobe, the rationale behind releasing a hot fix only for Adobe Reader and Acrobat 9 on Windows is that “this is the version and platform currently being targeted.”

Soon after Adobe published details of the vulnerability, researchers at Symantec released details of attacks seen in the wild saying that the “critical vulnerability has recently been seen exploited in the wild in targeted attack emails sent on November 1st and 5th. This attack leverages the zero-day vulnerability in order to infect target computers with Backdoor.Sykipot.”

To exploit the zero-day vulnerability the attackers sent out emails with a specially crafted PDF attachment. This PDF uses a bug in Adobe’s Universal 3D (U3D) processing to cause a memory corruption and deliver its payload. News reports suggest that the emails targeted defense contractors, however companies in the Telecoms, Wholesale, and computer hardware industries have also been targeted.

Adobe Reader X and Adobe Acrobat X users should verify that they are using Protected View / Mode:

  • To verify Protected View for Acrobat X is enabled, go to: Edit >Preferences > Security (Enhanced) and ensure “Files from potentially unsafe locations” or “All files” with “Enable Enhanced Security” are checked.
  • To verify Protected Mode for Adobe Reader X is enabled, go to: Edit >Preferences >General and verify that “Enable Protected Mode at startup” is checked.

Adobe Acrobat has Critical Zero-Day Vulnerability

(LiveHacking.Com) - Adobe has published a security advisory for Adobe Reader and Acrobat detailing a “critical” vulnerability which when exploited can cause a crash and potentially allow an attacker to take control of the affected system. There are also reports that this vulnerability is being actively exploited on the Internet, specifically against Adobe Reader 9.x on Windows.

The vulnerability, which affects Adobe Acrobat X and Adobe Reader X and earlier versions for Windows and Macintosh, and Adobe Reader 9.x versions for UNIX, is in the Universal 3D (U3D) processing. U3D is a compressed file format standard for 3D computer graphics data which is natively supported by PDF. A U3D memory corruption causes the vulnerability and can allow an attacker to take control of the affected system.

Adobe Reader X using Protected Mode and Adobe Acrobat X using Protected View are not vulnerable. Therefore Adobe will release a fix for Adobe Reader 9.x and Acrobat 9.x for Windows no later than the week of December 12, 2011. However, Adobe Reader X and Adobe Acrobat X will be updated in the next quarterly security update which is currently scheduled for January 10, 2012 when the Mac and UNIX versions will also be updated.

According to Brad Arkin, the Senior Director for Product Security and Privacy at Adobe, the rationale behind releasing a hot fix only for Adobe Reader and Acrobat 9.4.6 on Windows is that “this is the version and platform currently being targeted.”

“All real-world attack activity, both in this instance and historically, is limited to Adobe Reader on Windows. We have not received any reports to date of malicious PDFs being used to exploit Adobe Reader or Acrobat for Macintosh or UNIX for this CVE (or any other CVE)” he wrote.

It is therefore essential that Adobe Reader X and Adobe Acrobat X users verify that they are using Protected View / Mode.

  • To verify Protected View for Acrobat X is enabled, go to: Edit >Preferences > Security (Enhanced) and ensure “Files from potentially unsafe locations” or “All files” with “Enable Enhanced Security” are checked.
  • To verify Protected Mode for Adobe Reader X is enabled, go to: Edit >Preferences >General and verify that “Enable Protected Mode at startup” is checked.

Adobe Fixes Cross-site Scripting Vulnerability in Flex SDK

(LiveHacking.Com) - Adobe has published a security advisory about an “important” vulnerability in the Adobe Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions on the Windows, OS X and Linux. As a result of this vulnerability applications built with the Flex SDK could be open to cross-site scripting attacks.

Adobe are recommending that developers using Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions update their software, verify whether any SWF files in their applications are vulnerable, and update any vulnerable SWF files using these instructions.

Which applications are vulnerable?

  • All web-based (not AIR-based) Flex applications built using any release of Flex 3.x (including 3.0, 3.0.1, 3.1, 3.2, 3.3, 3.4, 3.4.1, 3.5, 3.5A, and 3.6) are vulnerable.
  • Web-based (not AIR-based) Flex applications built using any release of Flex 4.x (including 4.0, 4.1, 4.5, and 4.5.1) that were compiled using static linkage of the Flex libraries rather than RSL (runtime shared library) linkage are vulnerable, except in certain cases that involve the use of embedded fonts.
  • Most Flex 4.x applications that were compiled in the default way (specifically, using RSL linkage) will not be vulnerable, but there are rare cases in which they may be vulnerable.
  • Flex applications built using any release of Flex prior to 3.0 are not vulnerable.
  • Flex applications that are AIR-based (not web-based) are not vulnerable.
  • SWF files that were created without using Flex (such as files created in Adobe Flash Professional) are not vulnerable.

Microsoft Plugs TCP/IP Hole While Adobe Fixes Critical Vulnerabilities in Shockwave

(LiveHacking.Com) - Microsoft has issued four security bulletins to address four vulnerabilities in its Windows operating system including a ‘Critical’ vulnerability in TCP/IP.

The networking flaw, which was reported privately to Microsoft, could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system. Successful exploitation of MS11-083 would let an attacker run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The flaw exists in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 but not in Windows XP or Windows Server 2003.

The remaining three bulletins are as follows:

MS11-085Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704) – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .eml or .wcinv file) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Windows Mail or Windows Meeting Space could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file (such as an .eml or .wcinv file) from this location that is then loaded by a vulnerable application.

MS11-086< – Vulnerability in Active Directory Could Allow Elevation of Privilege (2630837) – This security update resolves a privately reported vulnerability in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). The vulnerability could allow elevation of privilege if Active Directory is configured to use LDAP over SSL (LDAPS) and an attacker acquires a revoked certificate that is associated with a valid domain account and then uses that revoked certificate to authenticate to the Active Directory domain. By default, Active Directory is not configured to use LDAP over SSL.

MS11-084Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657) – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a user opens a specially crafted TrueType font file as an e-mail attachment or navigates to a network share or WebDAV location containing a specially crafted TrueType font file. For an attack to be successful, a user must visit the untrusted remote file system location or WebDAV share containing the specially crafted TrueType font file, or open the file as an e-mail attachment. In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to persuade users to do so, typically by getting them to click a link in an e-mail message or Instant Messenger message.

Adobe Shockwave Player

Whilst Microsoft was busy fixing its networking code, Adobe posted a security bulletin about its Shockwave Player.

Critical vulnerabilities exist in Adobe Shockwave Player 11.6.1.629 and earlier versions on the Windows and OS X. Successful exploitation would let an attacker run arbitrary code.

A new version of Shockwave Player is available which:

  • Resolves a memory corruption vulnerability in the DIRapi library that could lead to code execution (CVE-2011-2446).
  • Fixes a memory corruption vulnerability that could lead to code execution (CVE-2011-2447).
  • Resolves a memory corruption vulnerability in the DIRApi library that could lead to code execution (CVE-2011-2448).
  • Fixes multiple potential memory corruption vulnerabilities in the TextXtra module that could lead to code execution (CVE-2011-2449).

Adobe Change Flash Player Settings Manager To Stop Clickjacking

(LiveHacking.Com) - Adobe has made changes to the Flash Player Settings Manager SWF file hosted on the Adobe website in response to a vulnerability that allowed any website to turn on your webcam and microphone without your knowledge or consent.

Feross Aboukhadijeh, a Stanford University computer science student, found that a maliciously crafted web page could use the vulnerability for a “clickjacking” attack which resulted in the webcam and microphone being activated and so allowing a remote attacker to spy on the victim.

The way the attack works is to load the Flash Player Settings Manager SWF file into an iFrame and then making it invisible using CSS. Then, the unsuspecting user plays a little game and unwittingly enable their webcam.

The fix applied by Adobe requires no user action or Flash Player product update.