December 18, 2018

In Brief: Adobe fixes at least 26 security problems in Adobe Acrobat and Adobe Reader

pdf_icon(LiveHacking.Com) –  Along with its update to Flash, Adobe has released updates that fix at least 26 security problems in Adobe Acrobat and Adobe Reader. The update for the popular PDF file reader and its companion PDF creator is available for Windows, OS X and Linux.

These update addresses vulnerabilities that could cause a crash and possibly allow an attacker to run arbitrary code on an affect system. Details of the bugs fixed are:

  • Memory corruption vulnerabilities that could lead to code execution (CVE-2012-1530, CVE-2013-0601, CVE-2013-0605, CVE-2013-0616, CVE-2013-0619, CVE-2013-0620, CVE-2013-0623).
  • Use-after-free vulnerability that could lead to code execution (CVE-2013-0602).
  • Heap overflow vulnerabilities that could lead to code execution (CVE-2013-0603, CVE-2013-0604).
  • Stack overflow vulnerabilities that could lead to code execution (CVE-2013-0610, CVE-2013-0626).
  • Buffer overflow vulnerabilities that could lead to code execution (CVE-2013-0606, CVE-2013-0612, CVE-2013-0615, CVE-2013-0617, CVE-2013-0621).
  • Integer overflow vulnerabilities that could lead to code execution (CVE-2013-0609, CVE-2013-0613).
  • Local privilege escalation vulnerability (CVE-2013-0627).
  • Logic error vulnerabilities that could lead to code execution (CVE-2013-0607, CVE-2013-0608, CVE-2013-0611, CVE-2013-0614, CVE-2013-0618).
  • Security bypass vulnerabilities (CVE-2013-0622, CVE-2013-0624).

Affected Versions

  • Adobe Reader XI (11.0.0) for Windows and Macintosh
  • Adobe Reader X (10.1.4) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.5.2 and earlier 9.x versions for Windows and Macintosh
  • Adobe Reader 9.5.1 and earlier 9.x versions for Linux
  • Adobe Acrobat XI (11.0.0) for Windows and Macintosh
  • Adobe Acrobat X (10.1.4) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.5.2 and earlier 9.x versions for Windows and Macintosh

Adobe fixes Flash Player and Microsoft patches IE 10 to update its built-in version

adobe-logo(LiveHacking.Com) – Adobe has released security updates for Adobe Flash Player for Windows, OS X, Linux and Android. These updates address a vulnerability that could cause a crash and potentially allow an attacker to executable arbitrary code on the affected system.

These updates fix a buffer overflow vulnerability in Flash that could lead to code execution.

Affected Versions

  • Adobe Flash Player 11.5.502.135 and earlier versions for Windows
  • Adobe Flash Player 11.5.502.136 and earlier versions for Macintosh
  • Adobe Flash Player 11.2.202.258 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.34 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.29 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.5.0.880 and earlier versions for Windows
  • Adobe AIR 3.5.0.890 and earlier versions for Macintosh
  • Adobe AIR 3.5.0.880 for Android
  • Adobe AIR 3.5.0.880 SDK and Adobe AIR 3.5.0.890 SDK

IE10

Microsoft has also revised Security Advisory 2755801 to include the latest Adobe updates. IE10 comes with a built-in version of Flash (like Chrome). An IE10 update is availbale as a cumulative update, which means customers do not need to install previous updates as a prerequisite for installing the current update.

“We remain committed to working closely with Adobe to deliver quality protections that are aligned with Adobe’s update process,” wrote Dustin Childs from Microsoft’s Trustworthy Computing unit.

Adobe to patch Critical flaws in Acrobat and ColdFusion

adobe-logo(LiveHacking.Com) – Critical vulnerabilities have been found in Adobe Reader, Acrobat and ColdFusion and Adobe is planning to release patches to fix the flaws over the next week. The first to be patched will be Adobe Reader and Acrobat. Adobe plans to release a security update on Tuesday, January 8, 2013 for Adobe Reader and Acrobat XI (11.0.0) and earlier versions for Windows and Macintosh, and Adobe Reader 9.5.1 and earlier 9.x versions for Linux.

The nature of the vulnerabilities in Adobe’s PDF tools is not yet know, however they are ranked as Critical. A Critical vulnerability is one which, if exploited, would allow malicious native-code to execute, potentially without the user’s knowledge.

More is known about the ColdFusion vulnerabilities.  Adobe has identified three flaw affecting ColdFusion for Windows, Macintosh and UNIX:

  • CVE-2013-0625 affects ColdFusion 10, 9.0.2, 9.0.1 and 9.0, and could permit an unauthorized user to remotely circumvent authentication controls, potentially allowing the attacker to take control of the affected server.
  • CVE-2013-0629 affects ColdFusion 10, 9.0.2, 9.0.1 and 9.0, and could permit an unauthorized user access to restricted directories.
  • CVE-2013-0631 affects ColdFusion 9.0.2, 9.0.1 and 9.0, and could result in information disclosure from a compromised server.

Adobe has confirmed that these vulnerabilities are being exploited in the wild but also notes that CVE-2013-0625 and CVE-2013-0629 only affect ColdFusion customers who do not have password protection enabled or have no password set.

The company is in the process of finalizing a patch for the vulnerabilities and expects to release a ColdFusion hotfix for versions 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX on January 15, 2013.

“We are currently evaluating the reports and plan to issue a security advisory as soon as we have determined mitigation guidance for ColdFusion customers and a timeline for a fix,” Adobe’s Wendy Poland said in a post on Adobe’s Product Security Incident Response Team (PSIRT) Blog.

Tuesday, January 8 is also the day that Microsoft will release seven security bulletins to address 12 vulnerabilities in Microsoft Windows, Office, Developer Tools, Microsoft Server Software and the .NET Framework.

Adobe hasn’t yet fixed Critical Shockwave vulnerability reported in 2010

adobe-logo(LiveHacking.Com) – According to three advisories published by US-CERT, Adobe Shockwave has three Critical vulnerability which could allow attackers to remotely execute code on vulnerable machines. At least one of the vulnerabilities was reported to Adobe in 2010 and isn’t scheduled to be fixed until 2013.

US-CERT issued Vulnerability Note VU#519137 warning that Adobe Shockwave Player installs Xtras that are signed by Adobe or Macromedia without prompting, this means that an attacker can target vulnerabilities in older versions of Xtras. When Shockwave needs to use an Xtra it will be downloaded and installed automatically without any user interaction. The problem is that the download location is stored in the Shockwave movie itself. By changing the value of the download location attackers can force a vulnerable older version of the Xtra to be installed.

“By convincing a user to view specially crafted Shockwave content (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user,” noted US-CERT.

In another issue, US-CERT reported that Adobe Shockwave Player 11.6.8.638 and earlier provide a vulnerable version of the Flash runtime. The included Flash runtime is version 10.2.159.1, which was released on April 15, 2011.This version of Flash contains several exploitable vulnerabilities. Since Shockwave uses its own Flash runtime, the machine is still vulnerable even if a new version of Flash has been installed on the PC.

The third problem is that Adobe Shockwave Player can automatically install a legacy version of its runtime. This can increase the attack surface of systems that have Shockwave installed. Because this is a design feature, attackers can target vulnerabilities in the Shockwave 10 runtime, or any of the Xtras provided by Shockwave 10. The example that US-CERT gives is that the legacy version of Shockwave provides Flash 8.0.34.0, which was released on November 14, 2006 and contains multiple, known vulnerabilities.

“Adobe has been working on addressing this issue in the next major release of Adobe Shockwave Player, which is currently scheduled to be released in February 2013,” an Adobe spokesperson told SecurityWeek. “We are not aware of any active exploits or attacks in the wild using this particular technique.”

Uninstalling the Shockwave Player will remove the vulnerabilities and since it isn’t used that often today you can probably remove it without any impact on your system.  Adobe has an uninstaller.

 

Ex-black hat hacker claims to have full backup for one of Yahoo’s domains

(LiveHacking.Com) –  A reformed black hat hacker, who now works as an ethical security researcher and penetration tester, has found zero-day vulnerabilities in several online services including some provided by Adobe, Microsoft, Yahoo, Google, Apple and Facebook. Since the tester, who goes by the name Virus_HimA, ceased black hat activities he started reporting the vulnerabilities to the vendors instead. According to his post on Pastebin, companies like Google reacted quickly to the reported flaws, but others like Adobe and Yahoo moved very slowly and in some cases didn’t even bother to reply to the disclosure emails they were sent.

As a result Virus_HimA has declared his intention to “teach both of them a hard lesson to harden their security procedures.” This is the better of two evils acording to the ex-hacker. “It would make a disaster if such companies vulnerabilities was privately used in the underground and they never know about it! not only their customers been affected but the vendors themselves also suffer from such exploits,” he wrote.

As part of his penetration activities, Virus_HimA claims to have access to:

  • Full files backup for one of Yahoo domains
  • Full access to 12 of Yahoo Databases
  • Knowledge of a reflected-XSS (Cross Site Scripting) vulnerability

The researcher has promised never to use, share, sell or publish any of the Adobe or Yahoo data and exploits anywhere, but rather is keen to establish his reputation. To this end when he released a small sample of data from Adobe, he specially chose to publish critical email addresses including those with a .mil  ending. This got Adobe’s attention which quickly started investigating the case, shut-down the vulnerable web site and emailed him asking for vulnerability details. Apparently Adobe are now working on a patch.

Analysis

This isn’t the first time a frustrated researcher has resorted to public exposure to get a large online business to move quicker with regards to security issues. Back in November PayPal were embroiled in a dispute with a security researcher who reported errors under PayPal’s security bounty scheme. A few weeks later Skype had to move quickly to fix an account hijacking flaw after it was posted online. The problem was that Skype had been made aware of the flaw some three months before hand.

The ethicality of such public exposure is questionable, however until some of the big online companies start to take these private disclosures more seriously they will continue to happen.

Google updates Chrome to fix a Critical vulnerability and update Flash

(LiveHacking.Com) –  Google has released a new version of Chrome for Windows, Mac and Linux. Chrome 23.0.1271.97 fixes several non-security related bugs along with at least one Critical level security vulnerability. The new version also includes an updated version of Flash following Adobe’s security update.

The Critical level bug is a crash in the history navigation. It was found by Michal Zalewski of the Google Security Team. The other security related bugs, along with the money awarded to the bounty hunter by Google under the Chromium security rewards scheme, are:

  • [$1500] [158204] High CVE-2012-5139: Use-after-free with visibility events. Credit to Chamal de Silva.
  • [$1000] [159429] High CVE-2012-5140: Use-after-free in URL loader. Credit to Chamal de Silva.
  • [160456] Medium CVE-2012-5141: Limit Chromoting client plug-in instantiation. Credit to Google Chrome Security Team (Jüri Aedla).
  • [160926] Medium CVE-2012-5143: Integer overflow in PPAPI image buffers. Credit to Google Chrome Security Team (Cris Neckar).
  • [$2000] [161639] High CVE-2012-5144: Stack corruption in AAC decoding. Credit to pawlkt.

The new version also fixes the following non-security related bugs

  • Some texts in a Website Settings popup are trimmed (Issue: 159156)
  • Linux: <input> selection renders white text on white bg in apps (Issue: 158422)
  • some plugins stopped working (Issue: 159896)
  • Windows 8: Unable to launch system level chrome after self destructing user-level chrome (Issue: 158632)

Adobe releases security updates for Flash Player

(LiveHacking.Com) –  Adobe has released a set of security updates for its Flash Player. The update applies to the Windows, Linux and OS X operating systems as well as to Android. The updates address vulnerabilities that, if exploited, could cause a crash and allow an attacker to execute arbitrary code.

There are three distinct bugs fixed. The first is a buffer overflow vulnerability, the second an integer overflow vulnerability and the last a memory corruption vulnerability. All three could lead to code execution.

AFFECTED SOFTWARE VERSIONS

  • Adobe Flash Player 11.5.502.110 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.251  and earlier versions for Linux
  • Adobe Flash Player 11.1.115.27 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.24 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.5.0.600 and earlier versions for Windows and Macintosh, Android and SDK (includes AIR for iOS)

Microsoft has updated IE 10 to include the new version of Flash. Likewise Google has updated Chrome to version 23.0.1271.97.

Adobe Reader PDF zero-day exploit selling for $50,000 on black market

(LiveHacking.Com) – Although Adobe added sandboxing to Adobe Reader X it still seems that malicious hackers are find ways of compromising the security of computers via specially formed PDF files. Russian security  firm Group-IB has announced that there is a new zero-day exploit for the popular PDF file reader which is being sold in the underground for up to $50,000. The exploit, which targets Windows-based installations of Adobe X and IX, has also been included in a modified version of the notorious BlackHole exploit toolkit.

At the moment the exploit is only being distributed in a small circles of underground hackers but, of course, there is every possibility that its use will become wide spread. The new unpatched zero day threat allows malware writers and bot authors further opportunities to create new attacked vectors by which malware can be loaded into a victims computer.

“The vulnerability has some limitations, for example it could be successfully exploited only after the user will close the browser and restart it. Another variant is to organize interaction between the victim and the malformed PDF-document. Either way, the vulnerability is has very significant vector to be spread with bypassing of internal Adobe X sandbox, which is appealing for cybercrime gangs because in the past there was no documented method of how to bypass it with shellcode execution,” said Andrey Komarov, the Head of International Projects Department of Group-IB.

A video showing a proof of concept can be seen here: http://www.youtube.com/watch?v=uGF8VDBkK0M&feature=youtu.be. As the video shows, for the payload to run the web browser needs to be restarted. This means that the malware might not infect the PC at the moment the PDF file is opened, but it will most likely succeed at a future time whenever the web browser is closed.

“We saw the announcement from Group IB, but we haven’t seen or received any details,” Adobe spokeswoman Wiebke Lips told SCMagazine.com in an email. “Adobe PSIRT (Product Security Incident Response Team) has reached out to Group-IB, but we have not yet heard back. Without additional details, there is nothing we can do, unfortunately — beyond continuing to monitor the threat landscape and working with our partners in the security community, as always.”

Brian Krebs has pointed out that Blackhole is by far the most prevalent exploit kit in use today. At any rate, consumers should realize that there are several PDF reader option apart from Adobe’s,  including FoxitPDF-Xchange Viewer,Nitro PDF and Sumatra PDF.

In brief: Microsoft updates Internet Explorer 10 to address vulnerabilities in Adobe Flash Player

(LiveHacking.Com) – Adobe has released a new version of its ubiquitous Flash Player to address vulnerabilities that could cause a crash and potentially be exploited by an attacker to infect a PC with malware. As a result Microsoft has issued a patch to IE10 to update the browser’s built-in version of Flash Player.

Microsoft has revised Security Advisory 2755801 to reflect the changes. The new version of IE is available for all supported editions of Windows 8, Windows Server 2012, and Windows RT. For more information about the update, including download links, see Microsoft Knowledge Base Article 2770041

“We remain committed to taking the appropriate actions to help protect customers and will continue to work closely with Adobe to deliver quality protections that are aligned with Adobe’s update process,” said Dave Forstrom, Director, Microsoft Trustworthy Computing.

Adobe has released a security update for Adobe Flash Player

(LiveHacking.Com) – Adobe has released a security update for Adobe Flash Player to address vulnerabilities that could cause a crash and potentially be exploited by an attacker to infect a PC with malware.

The update applies to Adobe Flash Player 11.4.402.287 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.243 and earlier versions for Linux, Adobe Flash Player 11.1.115.20 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.19 and earlier versions for Android 3.x and 2.x.

The update addresses six different memory issues and a security bypass vulnerability:

  • Buffer overflow vulnerabilities that could lead to code execution (CVE-2012-5274, CVE-2012-5275, CVE-2012-5276, CVE-2012-5277, CVE-2012-5280).
  • Memory corruption vulnerabilities that could lead to code execution (CVE-2012-5279).
  • Security bypass vulnerability that could lead to code execution (CVE-2012-5278).

If you need to check the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select “About Adobe (or Macromedia) Flash Player” from the menu. For those with multiple browsers installed you should perform the check for each browser. Android users should tap on Settings > Applications > Manage Applications > Adobe Flash Player x.x.

The built-in version of Flash Player has also been updated in Internet Explorer 10 and Chrome.