Tag Archives: acrobat

Adobe Patch Day: Reader, Flash, and Illustrator Security Patches

Severity: High

Summary:

  • These vulnerabilities affect: Reader and Acrobat, Flash Player, and Illustrator (CS6)
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released or updated three security bulletins that describe vulnerabilities in four of their popular software packages; Reader and Acrobat X, Flash Player, and Illustrator.

Adobe Patch Day, May 2014

 

A remote attacker could exploit the worst of these flaws to gain complete control of your computer. We summarize the Adobe security bulletins below:

  • APSB14-15: Multiple Reader and Acrobat Code Execution Vulnerabilities

Adobe Reader helps you view PDF documents, while Acrobat helps you create them. Since PDF documents are very popular, most users install Reader to handle them.

Adobe’s bulletin describes 11 vulnerabilities that affect Adobe Reader and Acrobat XI 11.0.06 and earlier, running on Windows and Macintosh.  Adobe only describes the flaws in minimal technical detail, but they do share that many of the flaws involve memory corruption issues that attackers could exploit to execute code. Most of these memory corruption flaws share the same scope and impact. If an attacker can entice one of your users into opening a specially crafted PDF file, he can exploit these issues to execute code on that user’s computer, inheriting the user’s privileges. If your users have root or system administrator privileges, the attacker gains complete control of their computer. If you use Reader, you should patch soon.

Adobe Priority Rating: 1 (Patch within 72 hours)

  • APSB14-14: Half a Dozen Flash Player (and Air) Vulnerabilities

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android. It is also built into certain browsers, like Google and Internet Explorer (IE) 11.

Adobe’s bulletin describes six flaws in Flash Player 13.0.0.206 and earlier for all platforms. The vulnerabilities differ technically, and in scope and impact, but the worst could allow attackers to execute code on your users computers. Specifically, Flash Player suffers from a “use after free” vulnerability – a type of memory corruption flaw that attackers can leverage to execute arbitrary code. If an attacker can lure you to a web site, or get you to open documents containing specially crafted Flash content, he could exploit this flaw to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer. Though not as severe as the use after free flaw, the remaining flaws are all security bypass issues that could also help attackers further elevate their privileges after an attack.

Adobe Priority Rating: 1 (Patch within 72 hours)

  • APSB14-011: Illustrator (CS6) Buffer Overflow Vulnerability

Illustrator is a very popular vector drawing program that ships with Adobe’s popular Creative Suite. It suffers from an unspecified buffer overflow vulnerability. Adobe doesn’t describe the flaw in technical detail, but we presume that it has something to do with handling specially crafted Illustrator files. If that’s the case, opening specially crafted files in Illustrator could allow attackers to execute code on your machine with your privileges. Attackers don’t often target Illustrator, so we don’t expect this vulnerability to get exploited much in the wild. Nonetheless, if you use Illustrator, you ought to patch it at your convenience.

Adobe Priority Rating: 3 (Patch at your discretion)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. Installing Adobe’s updates is your most secure course of action.

Status:

Adobe has released patches correcting these issues.

References:

    • Adobe Reader/Acrobat Security Update APSB14-15
    • Adobe Flash Player Security Update APSB14-14
    • Adobe Illustrator Security Update APSB14-11

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Adobe Patch Day: Flash and Reader Updates Fix Five Flaws

Severity: High

Summary:

  • These vulnerabilities affect: Flash Player, Reader XI, and Acrobat XI (and Adobe Air)
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
  • Impact: Various results; in the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released or updated two security bulletins that describe vulnerabilities in two of their popular software packages; Flash Player and Reader/Acrobat X.

Adobe Patch Day, Jan 2014

A remote attacker could exploit the worst of these flaws to gain complete control of your computer. We summarize the Adobe security bulletins below:

  • APSB14-01: Trio of Reader and Acrobat Memory Corruption Vulnerabilities

Adobe Reader helps you view PDF documents, while Acrobat helps you create them. Since PDF documents are very popular, most users install Reader to handle them.

Adobe’s bulletin describes three vulnerabilities that affect Adobe Reader and Acrobat XI 11.0.05 and earlier, running on Windows and Macintosh.  Adobe doesn’t describe the flaws in much technical detail, but does note that they involve integer overflow and memory corruption issues. They all share the same scope and impact. If an attacker can entice you into opening a specially crafted PDF file, he can exploit any of these issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of your machine.

Adobe Priority Rating: 1 (Patch within 72 hours)

  • APSB14-02: Flash Player Code Execution Vulnerability

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

Adobe’s bulletin describes two serious flaws in Flash Player 11.9.900.170 and earlier for all platforms. They don’t describe the  vulnerabilities in much technical detail, just mentioning that one allows you to “bypass security protections” and the other allows you to defeat Address Space Layout Randomization (ASLR), which is a memory obfuscation technique that some software uses to make it harder for attackers to exploit memory corruption flaws. They do, however, describe the flaws’ impacts. In the worst case, if an attacker can lure you to a web site, or get you to open documents containing specially crafted Flash content, he could exploit a combination of these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

Adobe Priority Rating: 1 (Patch within 72 hours)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. Installing Adobe’s updates is your most secure course of action.

Status:

Adobe has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Hefty Patch Day Despite Light Microsoft Turnout

If any security professionals need quick reminder that the end-of-year holidays are over, and it’s time to get back to protecting information, Microsoft’s first Patch Day of the year will likely do that for you. However, the good news is Microsoft is giving us a slow start with only four security updates for January. Unfortunately, two other companies, Oracle and Adobe, have filled in the gaps with big updates of the own.

Let’s start with Microsoft.

According to their summary post, Microsoft released four bulletins today which fix security flaws in Windows, Office, and their Dynamics AX server (an enterprise resource planning or ERP solution).  They didn’t release any Critical bulletins this month, only ones with an Important rating; essentially their “medium” severity. Though vulnerabilities with this rating might be a bit more difficult to exploit (requiring local access or victim interaction), some of them could still allow remote attackers to gain full control of your users’ machines. In short, you should still takes these updates seriously despite the light load, and their less critical nature.

As far as priority, start with the Windows kernel vulnerability, as it fixes a zero day flaw that attackers are actively exploiting in the wild. Granted, the attackers exploiting it need local access to your computer to leverage the flaw, but if they do they gains full (SYSTEM) control of the PC. The remaining Windows and Office flaws are just about equal in severity. Which you focus on first is up to you. I’d probably consider the Office one since bad guys like using malicious documents in their spear phishing emails lately. Finally, the Dynamix AX update fixes a DoS flaw. I don’t suspect many smaller organizations use this product, and DoS flaws aren’t quite as severe as others. So save this one for last, if you happen to use the product.

With Microsoft done, your focus this month is probably better served with patching Adobe and Oracle products. Adobe’s patch day always falls on the same Tuesday as Microsoft’s. However, Oracle happens to follow a quarterly patch cycle, which only occasionally lines up directly with Microsoft’s Patch Day. Unfortunately, this is one such month, and you get to enjoy the unholy trifecta of patching three big corporations’ products at once. Yay (sarcasm)!

Today, Adobe has released updates for Reader, Acrobat, and Flash Player, and Oracle has released their huge Critical Patch Update, fixing over a hundred flaws in a wide variety of products. I’ll post more details about these updates later today, but for now you can check out Adobe or Oracles pre-announcement advisories if you want a head start.

I’ll post the detailed alerts for Microsoft’s Windows and Office updates shortly. Since I doubt the majority of customer use Dynamics AX, I don’t plan on posting a full alert for it, so if you use it be sure to check out Microsoft alert (MS14-004) yourself, and grab the corresponding updates. Stay tuned! — Corey Nachreiner, CISSP (@SecAdept)

Microsoft Patch Day Summary, Jan 2014

Adobe Patch Day: Updates for Reader/Acrobat XI and Robohelp

As you may know, Adobe shares Microsoft Patch Day. Today they released two security bulletins; one for Reader and Acrobat, and another for Robohelp. That said, these are pretty minor updates that won’t affect everyone.

The Reader and Acrobat update is probably the one you should pay closest attention to. However, it’s actually only an update for the newest version of Reader and Acrobat, called XI (11.0.0.4). The update doesn’t fix a new flaw, rather it fixes a regression of an old flaw. Reader XI reintroduced an issue with its javascript security controls. In short, if you have Reader X or lower, you’re fine. You only have to consider this update if you’re running the latest version.

The second Adobe update involves a more critical flaw, but only affects a product that few people use. Robohelp is a tool that allows people to create and publish web content for their products. It suffers from unspecified memory corruption vulnerability that attackers can leverage to remotely execute code. If you use Robohelp, this is a serious flaw, and you should update as soon as you can. However, I suspect few of my readers use Robohelp.

So to summarize, this month’s Adobe patch day is rather light, and involves limited products. If you happen to use the affected software, you should still update, but I’m guessing these issues will only affect a few of you.  — Corey Nachreiner, CISSP (@SecAdept)

Expect a Microsoft and Adobe Patch Bonanza Next Tuesday

Microsoft and Adobe plan a tag team assault on computer administrators and users next Tuesday, when they intend to release a pile of Critical security updates. If you manage Windows PCs, you use at least two of the vulnerable products, and likely many more. So I recommend you gear up for a day of software updates next week.

Let’s start with Microsoft’s Patch Day.

According to their August Advanced Notification, Microsoft intends to post nine security bulletins on August 14, five of which they rate as Critical. The updates fix vulnerabilities in Windows, Internet Explorer, Office, SQL Server, Exchange, and a few other products (see the image on the right for the full list).

Microsoft hasn’t shared the details about these flaws with the public yet, but it is safe to say you should apply the Critical updates as soon as possible — especially the server related ones. Critical vulnerabilities tend to allow remote attackers to gain full control of your computer, which is bad, to say the least.

Also, during last week’s WatchGuard Security Week in Review episode I mentioned an unpatched vulnerability in Microsoft Exchange, related to its use of Oracle’s Outside In technology. I’d guess next Tuesday’s Exchange patch will probably fix this vulnerability. In short, if you manage a Windows network, prepare your team for a busy day of patching next week.

But that’s not all folks…

Adobe also likes to share Microsoft’s Black Tuesday, and have announced their upcoming patch day as well. Their post warns that they plan to release Adobe Reader and Acrobat X updates to fix vulnerabilities that affect both Windows and Macintosh platforms. They haven’t shared any details about the vulnerabilities in question yet, but I’m pretty sure I can accurately predict the general gist of their upcoming advisory. I’m pretty sure it will come down to, “if you open a specially crafted PDF document, attackers can leverage some flaw to execute code on your system with your privileges.”

Since most computer users (Mac and PC users alike) install Reader, these issues will probably affect many people. Furthermore, attackers have been leveraging flaws in PDF documents in many of their spear phishing attacks lately, since many users still consider these documents as benign. If you use these popular Adobe products, plan to patch post haste.

I’ll know more about these bulletins on Tuesday, and will publish alerts about them here. — Corey Nachreiner, CISSP

Update Adobe Reader or Avoid Potentially Malicious PDFs

Summary:

  • This vulnerability affects: Adobe Reader and Acrobat X 10.1.2 and earlier, running on Windows, Mac, and Linux
  • How an attacker exploits it: By enticing your users into viewing maliciously crafted PDF documents
  • Impact: An attacker can execute code on your computer, potentially gaining control of it
  • What to do: Windows users should install Adobe’s Reader and Acrobat X 10.1.3 or 9.5.1 updates as soon as possible (or let Adobe’s Updater do it for you).

Exposure:

Today, Adobe released a security bulletin describing four vulnerabilities in Adobe Reader and Acrobat X 10.1.2 and earlier, running on all supported platforms.  Adobe doesn’t describe these flaws in much technically detail, but most of them involve integer overflow and memory corruption issues within Reader and Acrobat components. Despite their technical differences, all four vulnerabilities share a similar scope and impact. If an attacker can entice you into opening a specially crafted PDF file, he can exploit any of these issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of your machine.

If you use Adobe Reader to open PDF documents, you should download and install this Reader update as soon as you can.

Solution Path

Adobe has released Reader and Acrobat X 10.1.3 (and 9.5.1 for legacy users) to fix these vulnerabilities. You should download and deploy the corresponding updates immediately, or let the Adobe Software Updater program do it for you.

For All WatchGuard Users:

If you choose, you can configure the HTTP, SMTP, and FTP proxies on your WatchGuard appliance to block PDF documents from entering your network, thus mitigating the risk of these issues. However, doing so blocks both legitimate and malicious PDF files. If your organization relies on PDF documents, you may not want to implement this mitigation workaround.

Our proxies offer many ways for you to block files and content, including by file extension,  MIME type, or by using very specific hexadecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list various ways you can identify PDF documents (.pdf):

File Extension:

  • .PDF – Adobe Reader document

MIME types:

  • application/pdf
  • application/x-pdf
  • application/acrobat
  • applications/vnd.pdf
  • text/pdf
  • text/x-pdf

FILExt.com reported Magic Byte Pattern:

  • Hex: 25 50 44 46 2D 31 2E
  • ASCII: %PDF-1

If you do decide you want to block PDF files, the links below contain instructions that will help you configure your WatchGuard appliance’s content blocking features using the file and MIME information listed above. Also, our Gateway Antivirus (GAV) service does scan PDF files for malware. In many cases, simply enabling our GAV service can protect you from some PDF-based malware.

Status:

Adobe has released patches to correct these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Adobe Patch Day Delivers One Reader and Acrobat Update

Summary:

  • This vulnerability affects: Adobe Reader and Acrobat X 10.1.1 and earlier, on Windows, Mac, and UNIX computers
  • How an attacker exploits it: By enticing your users into viewing maliciously crafted PDF documents
  • Impact: An attacker can execute code on your computer, potentially gaining control of it
  • What to do: Windows users should install Adobe’s Reader and Acrobat X 10.1.2 or 9.5 updates as soon as possible (or let Adobe’s Updater do it for you).

Exposure:

During yesterday’s Patch Day, Adobe released one security bulletin describing six vulnerabilities in Adobe Reader and Acrobat X 10.1.1 and earlier, running on all supported platforms.  Adobe doesn’t describe these flaws in much technically detail, but most of them involve memory corruption issues within Reader and Acrobat components. If an attacker can entice you into opening a specially crafted PDF file, he can exploit these types of issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of you machine.

In a previous post, we described an out-of-cycle Adobe update that fixed two zero day vulnerabilities in Reader and Acrobat 9.4.6 and earlier. Those zero day flaws also affect Reader and Acrobat X. However, Adobe decided not to releases the X updates at the time, since they believe that X’s built-in protection mechanisms would prevent attackers from exploiting the flaws in the real world. Today’s Reader update also corrects those two outstanding issues in Reader and Acrobat X.

UPDATE: Now that Adobe has released their official bulletin, independent researchers and organizations are sharing their details about these Adobe flaws, which often include more technical depth about the issues.  If you’re a technically-minded security professional who likes to know more specifics, I’d recommend you follow some of the security mailing lists (such as FullDisclosure or Security Focus), where you may find more detailed alerts about the individual vulnerabilities like this one.

Solution Path

Adobe has released Reader and Acrobat X 10.1.2 (and 9.5 for legacy users) to fix these vulnerabilities. You should download and deploy the corresponding updates immediately, or let the Adobe Software Updater program do it for you.

For All WatchGuard Users:

Many WatchGuard Firebox models can block incoming PDF files. However, most administrators prefer to allow these file types for business purposes. Nonetheless, if PDF files are not absolutely necessary to your business, you may consider blocking them using the Firebox’s HTTP and SMTP proxy until the patch has been installed.

Keep in mind, our Gateway Antivirus (GAV) service does scan PDF files for malware. In many cases, simply enabling our GAV service will protect you from these well known, public threats.

If you decide you want to block PDF documents, follow the links below for instructions on using your Firebox proxy’s content blocking features to block .pdf files by their file extension:

Status:

Adobe has released patches to correct these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Reader and Acrobat Update Corrects Zero Day Vulnerabilities

Summary:

  • This vulnerability affects: Adobe Reader and Acrobat 9.x and earlier, on Windows, Mac, and UNIX computers (The flaws technically affect Reader X as well, but are much less exploitable)
  • How an attacker exploits it: By enticing your users into viewing maliciously crafted PDF documents
  • Impact: An attacker can execute code on your computer, potentially gaining control of it
  • What to do: Windows users should install Adobe’s Reader and Acrobat 9.4.7 updates as soon as possible (or let Adobe’s Updater do it for you).

Exposure:

In a previous post, we warned you that attackers are currently leveraging a zero day vulnerability in Adobe Reader to launch targeted attacks against certain industries. The attack arrives as a targeted phishing email, which contains a specially crafted PDF file. If you open that PDF file, it leverages the previously unknown vulnerability to execute code on your computer, with your privileges.

Adobe promised they’d released a patch for this zero day during this week, which they just did today. According to their security bulletin, this out-of-cycle update actually corrects two security vulnerabilities, which attackers have exploited in the wild. As is typically the case with Adobe, they don’t describe the flaws in much technically detail, but they do say they involve memory corruption issues with the U3D and PRC components in Reader and Acrobat. As I mentioned before, if an attacker can entice you into opening a specially crafted PDF file, he can exploit these issues to execute code with your privileges. If you have root or system administrator privileges, the attacker gains complete control of you machine.

Solution Path

Adobe has released Windows Reader and Acrobat 9.4.7 to fix these vulnerabilities on Windows systems. Though Reader versions running on other platforms (such as Macintosh and Unix) are also susceptible to these issues, Adobe does not plan to patch them till their next quarterly update, scheduled for January 10, 2012.

It’s important to note, the more recent Reader and Acrobat X (10.1.1) versions are also vulnerable to these issue. However, Adobe does not believe attackers can exploit these flaws in the X versions due to built-in protection mechanisms. Nonetheless, they will also release Reader X updates in January.

In the meantime, Windows-based Reader and Acrobat 9.x users should download and install the following updates as soon as they can, or let Adobe’s updater do it for you.

For All WatchGuard Users:

Many WatchGuard Firebox models can block incoming PDF files. However, most administrators prefer to allow these file types for business purposes. Nonetheless, if PDF files are not absolutely necessary to your business, you may consider blocking them using the Firebox’s HTTP and SMTP proxy until the patch has been installed.

Keep in mind, our Gateway Antivirus (GAV) service does also scan PDF files for malware. In many cases, simply enabling our GAV service will protect you from these well known, public threats.

If you decide you want to block PDF documents, follow the links below for instructions on using your Firebox proxy’s content blocking features to block .pdf files by their file extension:

Status:

Adobe has released patches that correct these vulnerabilities on certain Windows systems. They plan to deliver the remaining updates in January.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Attackers Leverage Zero Day Reader Flaw in the Wild; Patch Coming

According to ComputerWorld and Symantec, Attackers are currently leveraging a zero day vulnerability in Adobe Reader in targeted attacks against telecommunications, manufacturing, computer hardware, and chemical companies, as well as defence sector organisations like Lockheed Martin.

The attacks may have started as early as the beginning of November, and arrive as a targeted phishing email with a malicious PDF attachment. If you open said attachment, your computer gets infected with information stealing malware.

Earlier this weak, Adobe confirmed this zero day flaw in a Security Advisory. The vulnerability affects all current versions of Reader and Acrobat running on any platform. Though they have not released a fix for the flaw yet, they plan to sometime next week.

Until then, we highly recommend that you inform your users to be very careful handling PDF files that come from outside your organization, whether from a trusted source or not. If you have one of our security appliances, you can also use our proxy policies to strip all PDF content if you like. That said, doing so blocks both legitimate and malicious PDF files. Also, be sure to keep both your gateway and client level antivirus software up to date, as it likely has signatures to block known variants of this attack.

As soon as Adobe releases an update to fix this issue, we will let you know in a follow-up post.

[UPDATE]:

There has also been reports of a Russian research team unveiling two zero day vulnerabilities in Adobe’s Flash Player as well. This team has no plans of informing Adobe, as they don’t believe in disclosing bugs for free. Adobe has not responded to these reports yet, but we will update you on this issues as well, as it develops. In the meantime, you can read more about these reported flaws here. — Corey Nachreiner, CISSP (@SecAdept)

Reader and Acrobat Updates Correct 13 Security Flaws

Summary:

  • This vulnerability affects: Adobe Reader and Acrobat X 10.1 and earlier, on Windows, Mac, as well as Reader 9.4.2 for  UNIX
  • How an attacker exploits it: Typically, by enticing your users into viewing a maliciously crafted PDF document
  • Impact: In the worst case, an attacker can execute code on your computer, potentially gaining control of it
  • What to do: Install Adobe’s Reader and Acrobat X 10.1.1 update as soon as possible (or let Adobe’s Updater do it for you).

Exposure:

As part of their quarterly patch day cycle (which shares the same date as Microsoft Patch Day), Adobe released a security bulletin describing 13 security vulnerabilities (number based on CVE-IDs) that affect Adobe Reader and Acrobat X 10.1 and earlier, running on Windows and Mac, as well as Reader 9.4.2 for UNIX. The flaws differ technically, but consist primarily of buffer overflow and  memory corruption vulnerabilities, and share the same general scope and impact.

In the worst case, if an attacker can entice one of your users into downloading and opening a maliciously crafted PDF document (.pdf), he can exploit many of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. Keep in mind, Reader installs helpers in your browser to help it view PDF documents. Simply visiting a web site with a malicious embedded PDF document could trigger this type of attack.

Lately, attackers have leveraged Reader vulnerabilities in many of their email and web-based malware campaigns. We highly recommend you patch these Reader flaws as soon as possible.

Solution Path

Adobe has released Reader and Acrobat X 10.1.1 to fix these vulnerabilities. You should download and deploy the corresponding updates immediately, or let the Adobe Software Updater program do it for you. Adobe plans to release Reader 9.4.6 for UNIX on November 7, 2011. So you UNIX users will have to wait for their patch.

For All WatchGuard Users:

Many WatchGuard Firebox models can block incoming PDF files. However, most administrators prefer to allow these file types for business purposes. Nonetheless, if PDF files are not absolutely necessary to your business, you may consider blocking them using the Firebox’s proxies until the patch has been installed.

If you would like to use our proxies to block PDF documents, follow the links below for instructions:

Status:

Adobe has released patches that correct these vulnerabilities.

References:

%d bloggers like this: