Adobe security vulnerabilities

[David Baxter PhD]

Adobe Reader 9 and Acrobat 9 zero day exploited in the wild
by Dancho Danchev, ZDNet
February 20th, 2009

Yesterday, Adobe confirmed the existence of a critical vulnerability affecting Adobe Reader and Acrobat versions 9.0 and earlier, originally detected by the Shadowserver Foundation last week.

The onging targeted attacks have since been confirmed by both, Symantec and McAfee urging users to disable JavaScript in Adobe Reader and Acrobat until Adobe issues a patch on the 11th of March in the following way - Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript.

Symantec?s comments on the potential for massive attacks using the exploit:

So far, these attacks appear to be targeted and not widespread. Symantec is continuing to monitor the vulnerability?s use in the wild.

While examining the JavaScript code used for ?heap-spraying? in these PDFs, we can see the same comments that show that these separate exploit attempts come from the same source! It seems likely that the people behind this threat are using targeted attacks against high-ranking people within different organizations?for example, locating the CEO?s email address on the company website and sending a malicious PDF in the hope that their malicious payload will run. Once the machine is compromised, the attackers may gain access to sensitive corporate documents that could be costly for companies breached by this threat.​

For the time being, cybercriminals chose to generate less noise by launching targeted attacks just like they did earlier this week using IE7?s MS09-002 vulnerability. However, as we?ve previously seen it?s only a matter of time until copycat attackers start using it on a large scale.

With several targeted campaigns currently active, what are the chances that a sample malware campaign would be once again monetizing infected hosts by infecting them with rogue security software similar to Conficker?s first release? Huge.

What?s important to point out is that the original targeted attacks detected by the Shadowserver Foundation are once again using a well known and previously abused Chinese DNS provider (js001.3322.org) with more details about its owner available in a related BusinessWeek article.

 

[David Baxter PhD]

Adobe swings and misses as PDF abuse worsens

Adobe swings and misses as PDF abuse worsens
by Ryan Naraine
February 25th, 2009

After more than two weeks (months?) of inexplicable silence on mitigations for a known code execution vulnerability in its Reader and Acrobat product lines, Adobe has finally posted public information on the problem but the company?s response falls well short of providing definitive mitigation guidance for end users.

Adobe?s response simply confirms what we already know and reiterates that turning off JavaScript will NOT eliminate the risk entirely. However, the company does not offer any definitive suggestions or workarounds, instead pointing to a list of anti-malware vendors blocking known attacks.

...more

 

[David Baxter PhD]

Critical Vulnerability Fixed in Adobe Flash Player

Critical Vulnerability Fixed in Adobe Flash Player
by Carsten Eiram, Secunia0
10th March 2009

Recently, Adobe released a patch, which fixes multiple vulnerabilities for Adobe Flash Player.

Since Adobe Flash Player is used in enterprise environments and some of the reported vulnerabilities may allow code execution, my Binary Analysis team has spent some time analysing the patch in order to properly understand the fixed vulnerabilities.

In the advisory from Adobe, two vulnerabilities are listed as potential code execution vulnerabilities. For the first vulnerability (CVE-2009-0520), it is stated that a buffer overflow "could potentially allow an attacker to execute arbitrary code". For the second vulnerability (CVE-2009-0519), it is stated that an input validation error "leads to a Denial of Service (DoS); arbitrary code execution has not been demonstrated, but may be possible".

It turns out that at least one of them is quite nasty and does indeed allow remote code execution in a very reliable manner.

Due to the limited publicly available information, we cannot be certain whether the vulnerability analysed is CVE-2009-0520, CVE-2009-0519, or even a third, silently fixed vulnerability.

However, we are certain that the vulnerability is related to how callback functions are handled and may result in data in arbitrary memory being treated as an object. Secunia has furthermore developed a reliable, fully-working exploit (available to customers on the Secunia Binary Analysis service) that allows execution of arbitrary code as soon as a user views a malicious web page.

That a vulnerability, which is so reliable and simple to exploit, exists in Adobe Flash Player is especially disturbing when looking at how many users are not running the latest version.

In our 2008 Report, we conclude that Adobe Flash Player is one of the applications that users often neglect to keep fully updated. According to results from our Secunia Software Inspector solutions, almost half of the installations (48 percent) running Adobe Flash Player 9.x were not running the latest version.

It is quite plausible that we may start seeing attacks exploiting this vulnerability in the near future. We therefore strongly recommend users to ensure that they have updated to the latest version of Adobe Flash Player. If you are a home-user and unsure if your system is properly patched, then our PSI solution can help you answer this question (companies can obtain our commercial version by contacting our sales department).

Similarly, security vendors and large enterprises creating their own custom IDS/IPS signatures can obtain detailed information about the vulnerability via our Binary Analysis service to ensure that their security products are able to detect exploit attempts.