December 22, 2014

Adobe to patch Critical flaws in Acrobat and ColdFusion

adobe-logo(LiveHacking.Com) – Critical vulnerabilities have been found in Adobe Reader, Acrobat and ColdFusion and Adobe is planning to release patches to fix the flaws over the next week. The first to be patched will be Adobe Reader and Acrobat. Adobe plans to release a security update on Tuesday, January 8, 2013 for Adobe Reader and Acrobat XI (11.0.0) and earlier versions for Windows and Macintosh, and Adobe Reader 9.5.1 and earlier 9.x versions for Linux.

The nature of the vulnerabilities in Adobe’s PDF tools is not yet know, however they are ranked as Critical. A Critical vulnerability is one which, if exploited, would allow malicious native-code to execute, potentially without the user’s knowledge.

More is known about the ColdFusion vulnerabilities.  Adobe has identified three flaw affecting ColdFusion for Windows, Macintosh and UNIX:

  • CVE-2013-0625 affects ColdFusion 10, 9.0.2, 9.0.1 and 9.0, and could permit an unauthorized user to remotely circumvent authentication controls, potentially allowing the attacker to take control of the affected server.
  • CVE-2013-0629 affects ColdFusion 10, 9.0.2, 9.0.1 and 9.0, and could permit an unauthorized user access to restricted directories.
  • CVE-2013-0631 affects ColdFusion 9.0.2, 9.0.1 and 9.0, and could result in information disclosure from a compromised server.

Adobe has confirmed that these vulnerabilities are being exploited in the wild but also notes that CVE-2013-0625 and CVE-2013-0629 only affect ColdFusion customers who do not have password protection enabled or have no password set.

The company is in the process of finalizing a patch for the vulnerabilities and expects to release a ColdFusion hotfix for versions 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX on January 15, 2013.

“We are currently evaluating the reports and plan to issue a security advisory as soon as we have determined mitigation guidance for ColdFusion customers and a timeline for a fix,” Adobe’s Wendy Poland said in a post on Adobe’s Product Security Incident Response Team (PSIRT) Blog.

Tuesday, January 8 is also the day that Microsoft will release seven security bulletins to address 12 vulnerabilities in Microsoft Windows, Office, Developer Tools, Microsoft Server Software and the .NET Framework.

Adobe Reader Zero-day Vulnerability Patch Coming Today?

(LiveHacking.Com) – Ten days ago Adobe published a security advisory for Adobe Reader and Acrobat detailing a “critical” zero-day vulnerability that was already being actively exploited on the Internet, specifically against Adobe Reader 9.x on Windows.

The vulnerability is present in Adobe Reader and Adobe Acrobat X and 9.x, however Reader X and Acrobat X users can protect themselves against it by using Protected View / Mode. However there is no work around for Adobe Reader 9.x. Therefore Adobe promised a new release of Adobe Reader and Adobe Acrobat  9.x to fix the problem. This update is expected today.

According to Brad Arkin, the Senior Director for Product Security and Privacy at Adobe, the rationale behind releasing a hot fix only for Adobe Reader and Acrobat 9 on Windows is that “this is the version and platform currently being targeted.”

Soon after Adobe published details of the vulnerability, researchers at Symantec released details of attacks seen in the wild saying that the “critical vulnerability has recently been seen exploited in the wild in targeted attack emails sent on November 1st and 5th. This attack leverages the zero-day vulnerability in order to infect target computers with Backdoor.Sykipot.”

To exploit the zero-day vulnerability the attackers sent out emails with a specially crafted PDF attachment. This PDF uses a bug in Adobe’s Universal 3D (U3D) processing to cause a memory corruption and deliver its payload. News reports suggest that the emails targeted defense contractors, however companies in the Telecoms, Wholesale, and computer hardware industries have also been targeted.

Adobe Reader X and Adobe Acrobat X users should verify that they are using Protected View / Mode:

  • To verify Protected View for Acrobat X is enabled, go to: Edit >Preferences > Security (Enhanced) and ensure “Files from potentially unsafe locations” or “All files” with “Enable Enhanced Security” are checked.
  • To verify Protected Mode for Adobe Reader X is enabled, go to: Edit >Preferences >General and verify that “Enable Protected Mode at startup” is checked.

Adobe Acrobat has Critical Zero-Day Vulnerability

(LiveHacking.Com) – Adobe has published a security advisory for Adobe Reader and Acrobat detailing a “critical” vulnerability which when exploited can cause a crash and potentially allow an attacker to take control of the affected system. There are also reports that this vulnerability is being actively exploited on the Internet, specifically against Adobe Reader 9.x on Windows.

The vulnerability, which affects Adobe Acrobat X and Adobe Reader X and earlier versions for Windows and Macintosh, and Adobe Reader 9.x versions for UNIX, is in the Universal 3D (U3D) processing. U3D is a compressed file format standard for 3D computer graphics data which is natively supported by PDF. A U3D memory corruption causes the vulnerability and can allow an attacker to take control of the affected system.

Adobe Reader X using Protected Mode and Adobe Acrobat X using Protected View are not vulnerable. Therefore Adobe will release a fix for Adobe Reader 9.x and Acrobat 9.x for Windows no later than the week of December 12, 2011. However, Adobe Reader X and Adobe Acrobat X will be updated in the next quarterly security update which is currently scheduled for January 10, 2012 when the Mac and UNIX versions will also be updated.

According to Brad Arkin, the Senior Director for Product Security and Privacy at Adobe, the rationale behind releasing a hot fix only for Adobe Reader and Acrobat 9.4.6 on Windows is that “this is the version and platform currently being targeted.”

“All real-world attack activity, both in this instance and historically, is limited to Adobe Reader on Windows. We have not received any reports to date of malicious PDFs being used to exploit Adobe Reader or Acrobat for Macintosh or UNIX for this CVE (or any other CVE)” he wrote.

It is therefore essential that Adobe Reader X and Adobe Acrobat X users verify that they are using Protected View / Mode.

  • To verify Protected View for Acrobat X is enabled, go to: Edit >Preferences > Security (Enhanced) and ensure “Files from potentially unsafe locations” or “All files” with “Enable Enhanced Security” are checked.
  • To verify Protected Mode for Adobe Reader X is enabled, go to: Edit >Preferences >General and verify that “Enable Protected Mode at startup” is checked.

Adobe Updates Acrobat to Fix Security Problems; Also Revokes Trust in DigiNotar

(LiveHacking.Com) – Adobe has released an update to Acrobat and Acrobat Reader to fix various Critical vulnerabilities. Affected versions are Adobe Reader X (10.1) and Adobe Acrobat X (10.1) including earlier versions for Windows and OS X, Adobe Reader 9.4.2 and earlier versions for UNIX. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.

The specific problems fixed are:

  • A local privilege-escalation vulnerability (Adobe Reader X (10.x) on Windows only) (CVE-2011-1353).
  • A security bypass vulnerability that could lead to code execution (CVE-2011-2431).
  • A buffer overflow vulnerability in the U3D TIFF Resource that could lead to code execution (CVE-2011-2432).
  • Heap overflows that could lead to code execution (CVE-2011-2433, CVE-2011-2434).
  • A buffer overflow vulnerability that could lead to code execution (CVE-2011-2435).
  • A heap overflow vulnerability in the Adobe image parsing library that could lead to code execution (CVE-2011-2436).
  • Three stack overflow vulnerabilities in the Adobe image parsing library that could lead to code execution (CVE-2011-2438).
  • A memory leakage condition vulnerability that could lead to code execution (CVE-2011-2439).
  • A use-after-free vulnerability that could lead to code execution (CVE-2011-2440).
  • Two stack overflow vulnerabilities in the CoolType.dll library that could lead to code execution (CVE-2011-2441).
  • A logic error vulnerability that could lead to code execution (CVE-2011-2442).

Simultaneously Adobe removed the DigiNotar root certificate from its trust list:

Adobe takes the security and trust of our users very seriously. Based on the nature of the breach, Adobe is now taking the action to remove the DigiNotar Qualified CA from the Adobe Approved Trust List.

This update has been published for Adobe Reader and Acrobat X which include a trust list that Adobe can dynamically manage without requiring a product update/patch.  A future product update of Adobe Reader and Acrobat version 9.x will also enable dynamic updates of the AATL.