Tech Talk

[Security Update available for Adobe Reader and Acrobat 8.1.2]

FYI...

Security Update available for Adobe Reader and Acrobat 8.1.2
- http://www.adobe.com/support/security/bulletins/apsb08-15.html
Release date: June 23, 2008
Vulnerability identifier: APSB08-15
CVE number: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2641
Platform: All platforms
Affected software versions:
    * Adobe Reader 8.0 through 8.1.2
    * Adobe Reader 7.0.9 and earlier
    * Adobe Acrobat Professional, 3D and Standard 8.0 through 8.1.2
    * Adobe Acrobat Professional, 3D and Standard 7.0.9 and earlier
NOTE: Adobe Reader 7.1.0 and Acrobat 7.1.0 are not vulnerable to this issue. Adobe Reader 9 and Acrobat 9, expected to be available by July 2008, are also not vulnerable to this issue.

Summary:
A critical vulnerability has been identified in Adobe Reader and Acrobat 8.1.2. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Acrobat 8 and Adobe Reader install the 8.1.2 Security Update 1 patch.

Solution:
Acrobat 8 and Adobe Reader: Adobe recommends Adobe Reader 8 users update to Adobe Reader 8.1.2 Security Update 1, available at the links below:
For Windows: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3967
For Macintosh: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3966
Adobe recommends Acrobat 8 users on Windows update to Acrobat 8.1.2 Security Update 1, available here: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3976
Adobe recommends Acrobat 8 users on Macintosh update to Acrobat 8.1.2 Security Update 1, available here: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3977
Adobe recommends Acrobat 3D Version 8 users on Windows update to Acrobat 3D Version 8.1.2 Security Update 1, available here: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3975
Users with Adobe Reader 7.0 through 7.0.9 should upgrade to Adobe Reader 7.1.0: http://www.adobe.com/go/getreader.
Acrobat 7
Adobe recommends Acrobat 7 users on Windows update to Acrobat 7.1.0, available here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
Adobe recommends Acrobat 7 users on Macintosh update to Acrobat 7.1.0, available here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh

Severity rating:
Adobe categorizes this as an critical issue and recommends affected users update their installations...
NOTE: there are reports that this issue is being exploited in the wild..."

- http://blog.trendmicro.com/pdf-exploit-causes-bsod/
June 25, 2008 - "...According to the Adobe Security Bulletin on this issue*, the vulnerability exists in Adobe Reader 7.0.9 and earlier versions, 8.0 to 8.1.2, and in Adobe Acrobat 7.0.9 and earlier versions, 8.0 to 8.1.2... As of the most recent testing, TROJ_PIDIEF.AC is observed to download an info-stealer (mostly monitoring and gathering information about running processes, installed programs and system information) and a spammer which connects the compromised PC to a botnet. The common danger faced by users who encounter downloaders: you never really know what you’re going to get. Since malware writers have continuous access to the URL, they can update the downloaded file with different or more damaging payloads..."
* http://www.adobe.com/support/security/bulletins/apsb08-15.html

 

[Adobe Reader patch, now you see it, now you don't]

FYI...

Adobe Reader patch, now you see it, now you don't
- http://news.cnet.com/8301-13554_3-9979638-33.html
June 27, 2008


 

[Adobe Flash Player v10.0.12.36 released]

FYI...

Adobe Flash Player v10.0.12.36 released
- http://www.adobe.com/go/getflashplayer
October 15, 2008

Understanding the security changes in Flash Player 10
- http://www.adobe.com/devnet/flashplayer/articles/fplayer10_security_changes_print.html
Modified: 15 October 2008

Flash Player installation instructions
- http://www.adobe.com/products/flashplayer/productinfo/instructions/
...Installation instructions for Windows Internet Explorer... "may require administrative access to your PC..."
...Installation instructions for Windows non-Internet Explorer... "may require administrative access to your PC..."

Flash Player update available to address security vulnerabilities
- http://www.adobe.com/support/security/bulletins/apsb08-18.html
Release date: October 15, 2008 ...
CVE number: CVE-2007-6243, CVE-2008-3873, CVE-2007-4324, CVE-2008-4401, CVE-2008-4503
Platform: All Platforms
Summary: Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform...
Affected software versions: Adobe Flash Player 9.0.124.0 and earlier...

- http://www.us-cert.gov/current/archive/2008/10/16/archive.html#adobe_releases_security_bulletin_for
October 16, 2008

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4324
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6243
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3873
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4401
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4503

Test your current install: http://www.adobe.com/products/flash/about/

 

[Security Update available for Adobe Reader 8 and Acrobat 8]

FYI...

Security Update available for Adobe Reader 8 and Acrobat 8
- http://www.adobe.com/support/security/bulletins/apsb08-19.html
Release date: November 4, 2008
Vulnerability identifier: APSB08-19 ...
Platform: All Platforms
Summary:
Critical vulnerabilities have been identified in Adobe Reader and Acrobat 8.1.2 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe Reader 9 and Acrobat 9 are -not- vulnerable to these issues.
Adobe recommends users of Acrobat 8 and Adobe Reader 8 who can’t update to Adobe Reader 9 install the 8.1.3 update to protect themselves from potential vulnerabilities...

Adobe Reader:
> Adobe recommends Adobe Reader users update to Adobe Reader 9, available here:
http://www.adobe.com/go/getreader [AdbeRdr90_en_US.exe]
> Users with Adobe Reader 8.0 through 8.1.2, who can’t update to Adobe Reader 9, should update to Adobe Reader 8.1.3:
http://www.adobe.com/products/acrobat/readstep2_allversions.html [AdbeRdr813_en_US.exe] ..."

- http://secunia.com/advisories/29773
Last Update: 2008-11-05
Critical: Highly critical
Impact: Privilege escalation, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe Acrobat 3D 8.x, Adobe Acrobat 8 Professional, Adobe Acrobat 8.x. Adobe Reader 8.x
Solution: Upgrade to version 9 or update to version 8.1.3...

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2549
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2992
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4812
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4813
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4814
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4815
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4816
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4817

 

[Flash Player multiple vulns - updates available]

FYI...

Flash Player multiple vulns - updates available
- http://www.adobe.com/support/security/bulletins/apsb08-20.html
Release date: November 5, 2008
Vulnerability identifier: APSB08-20
CVE number: CVE-2008-4818, CVE-2008-4819, CVE-2008-4820, CVE-2008-4821, CVE-2008-4822, CVE-2008-4823 ...
Platform: All Platforms
Summary: Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform. No action is required by customers who have already updated to Flash Player 10.0.12.36. The Flash Player 9.0.151.0 update addresses the issues previously reported in Security Bulletin APSB08-18 in addition to the issues outlined in this Security Bulletin.
Affected software versions: Adobe Flash Player 9.0.124.0 and earlier.
To verify the Adobe Flash Player version number, access the About Flash Player page* ...
* http://www.adobe.com/products/flash/about/
Solution: Adobe recommends all users of Adobe Flash Player 9.0.124.0 and earlier versions upgrade to the newest version 10.0.12.36 by downloading it from the Player Download Center**, or by using the auto-update mechanism within the product when prompted.
** http://www.adobe.com/go/getflashplayer
For users who cannot update to Flash Player 10, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.151.0, which can be downloaded from the following link***.
*** http://www.adobe.com/go/kb406791
Severity rating: Adobe categorizes this as a critical update due to the issues previously outlined in Security Bulletin APSB08-18 and recommends affected users upgrade to version 10.0.12.36...

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4818
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4819
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4820
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4821
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4822
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4823

 

[here]

FYI...

- http://isc.sans.org/diary.html?storyid=5312
Last Updated: 2008-11-07 15:54:09 UTC - "...at the time of writing this article, according to VirusTotal 0 (yes – ZERO) AV products detected this malicious PDF. Very, very bad. The payload is in a JavaScript object embedded in the PDF document... if you haven't patched your Adobe Reader installations – do it ASAP as the attacks are in the wild."

> See previous post in this thread ^^^.

 

[Several]

More PDF exploits...

- http://blog.trendmicro.com/adobe-reader-vulnerability-actively-being-exploited/
Nov. 11, 2008 - "Several active exploits targeting a vulnerability in Adobe Reader are now in the wild... Users with unpatched Adobe Reader software may be infected when they unknowingly access a certain remote website or are redirected there from malicious banners and ads. Upon execution, TROJ_PIDIEF.CB could crash Reader and then allow a malicious user to take control of an affected system. This compromises system security and exposes it to more threats as malicious users could easily dump adware and malicious programs..."

 

[US Federal Reserve]

FYI...

- http://blog.trendmicro.com/bogus-federal-reserve-sites-deliver-pdf-exploit/
Nov. 13, 2008 - "A -new- round of PDF exploits are being pushed by websites pretending to be the US Federal Reserve. Several spammed email messages were intercepted starting last week advertising these fake Federal Reserve pages... This spam run is still continuing as of this writing, and it is now advertising more bogus sites... These domains resolve to a single IP address with a relatively short TTL (time to live) of 3600 seconds. What’s peculiar with the above domains is that when one is using OpenDNS and browses to the prepared site, OpenDNS will report that the site is not loading. However the DNS requests over other ISP’s nameservers loaded the bogus Fed pages... The fraudulent site redirects to a porn search page a few seconds after loading, and a PDF exploit is downloaded into the system. This particular script hosting the exploit has some anti-detection routines which attempts to prevent its contents, particularly the PDF JavaScript, from being seen by nosy researchers... The PDF JavaScript is designed with downloaders of downloaders that come from different internet locations.The final component (at the end of downloader chain) the trojan infects and automatically restarts the victim PC. After restart, the infected machine launches out regularly malformed HTTPS transactions (with an interval of 6.5 seconds) to a certain server. The transaction can be considered malformed because the SSL handshake, used by normal SSL websites, is missing in this particular HTTPS traffic. Even though, the traffic is somehow still encrypted. This type of HTTPS bot has been spotted a few months earlier.
The regularity of the HTTPS traffic suggests that this is a botnet having a Web-based C&C. This is certainly an improvement over the Web-based bots of old, where traffic are seen in plaintext. The botherders have actually made it a point to hide the network actions of their bots from IDSes (intrusion detection systems) by encrypting their network traffic. Makes one wonder what else the bad guys have in store for us..."

(Screenshots and more detail available at the URL above.)

 

[Adobe Reader v9 users w/AIR v1.1 installed]

FYI...

Adobe Reader v9 users w/AIR v1.1 installed
- http://isc.sans.org/diary.html?storyid=5363
Last Updated: 2008-11-17 22:21:15 UTC - "...Adobe has released a bulletin and update to Adobe AIR* that they classify as critical. It fixes some of the same vulnerabilities announced earlier in Flash player. Time to update if you are using AIR..."
* http://www.adobe.com/support/security/bulletins/apsb08-23.html

> http://get.adobe.com/air/
Adobe AIR v1.5 Installer
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5108

- http://secunia.com/advisories/32772/
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

 

[Additional disclosure of security vulnerabilities fixed in Flash Player 10.0.12.36 and Flash Player 9.0.151.0]

FYI...

Additional disclosure of security vulnerabilities fixed in Flash Player 10.0.12.36 and Flash Player 9.0.151.0
- http://www.adobe.com/support/security/bulletins/apsb08-22.html
Release date: November 17, 2008
Vulnerability identifier: APSB08-22
CVE number: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4824
Platform: All Platforms

 

[Security update available for -Linux- Flash Player 10.0.12.36 and Linux Flash Player 9.0.151.0]

FYI...

Security update available for -Linux- Flash Player 10.0.12.36 and Linux Flash Player 9.0.151.0
- http://www.adobe.com/support/security/bulletins/apsb08-24.html
Release date: December 17, 2008
Vulnerability identifier: APSB08-24
CVE number: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5499
Platform: Linux ...
Adobe recommends all users of Flash Player for Linux 10.0.12.36 and Flash Player for Linux 9.0.151.0 and earlier versions upgrade to the newest version 10.0.15.3 by downloading it from the Player Download Center*, or by using the auto-update mechanism within the product when prompted.
* http://get.adobe.com/flashplayer
For users who cannot update to Flash Player for Linux 10.0.15.3, Adobe has developed a patched version, Flash Player for Linux 9.0.152.0**, which can be downloaded from the following link...
http://www.adobe.com/go/kb406791
Adobe categorizes this as a -critical- update and recommends affected users upgrade to version 10.0.15.3...
- http://secunia.com/advisories/33221/

SUSE update for flash-player
- http://secunia.com/advisories/33294/
Release Date: 2008-12-22
Critical: Highly critical
Impact: System access
Where: From remote...
Original Advisory: SUSE-SA:2008:059:
http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00006.html

Red Hat update for flash-plugin
- http://secunia.com/advisories/33267/
Release Date: 2008-12-22
Critical: Highly critical
Impact: System access
Where: From remote...
Solution Status: Vendor Patch
Original Advisory:
https://rhn.redhat.com/errata/RHSA-2008-1047.html ...

 

[Acrobat [Reader] 0-Day On the Loose]

FYI...

Acrobat [Reader] 0-Day On the Loose
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219
2009-02-19 - "The Shadowserver Foundation has recently become aware of a very severe vulnerability in Adobe Acrobat affecting versions 8.x and 9 that is currently on the loose in the wild and being actively exploited. We are aware of several different variations of this attack, however, we were provided with a sample last week in which we were permitted to analyze and detail in this post. We want to make it clear that we did not discover this vulnerability and are only posting this information to make sure others are aware and can adequately protect themselves. All of our testing was done on Adobe Acrobat Reader 8.1.0, 8.1.1, 8.1.2, 8.1.3 (latest release of 8 ), and 9.0.0 (latest release of 9)...  We would HIGHLY recommend that you DISABLE JAVASCRIPT in your Adobe Acrobat [Reader] products. You have the choice of small loss in functionality and a crash versus your systems being compromised and all your data being stolen. It should be an easy choice. Disabling JavaScript is easy. This is how it can be done in Acrobat Reader:
Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript ... Adobe has since issued a public advisory* about this issue that has been posted here. They are expecting an update by March 11th, 2009 for Adobe 9 and updates for other version (8 and 7) to follow soon after..."
* http://www.adobe.com/support/security/advisories/apsa09-01.html
February 19, 2009 - "...Adobe categorizes this as a critical issue..."

- http://blogs.adobe.com/psirt/2009/02/adobe_reader_and_acrobat_issue.html
February 19, 2009 09:18 PM

 

[js001 .3322 .org]

More on this:

- http://preview.tinyurl.com/bp67qy
February 20, 2009 Security Fix - "...In the past I have recommended the free version of Foxit Reader as a faster and more lightweight alternative for viewing PDF files. However, I have not yet been able to verify whether Foxit Reader may be similarly vulnerable...
Update, 10:34 a.m. ET: "Sherry" from Foxit wrote me back to say the company has no information to suggest Foxit is similarly vulnerable: "Currently Foxit Software have not suffered these problems. And we will pay attention to it in the future." Also, Symantec has now posted its writeup on this flaw*, saying it has received reports of targeted attacks against government, large enterprise and financial services organizations..."
* http://preview.tinyurl.com/cajqre
02-20-2009 Symantec Security Response Blog
* http://preview.tinyurl.com/cqs68s
February 12, 2009 Symantec Security Response - "... The Trojan opens a backdoor on the compromised computer. It then contacts the following remote host in order to steal information from the compromised computer: js001 .3322 .org ..."

- http://secunia.com/advisories/33901/
Release Date: 2009-02-20
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched...

 

[Work Arounds & Windows Group Policy Object (GPO)]

FYI...

- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090221
21 February 2009 - "...Work Arounds & Windows Group Policy Object (GPO)
As we mentioned the main work around for this is to disable JavaScript. Acrobat will still crash but the exploit should fail. While all platforms are reportedly affected, we should note that we have only seen active exploits for Windows and not Linux or OS X platforms. Once again to disable JavaScript in Acrobat [Reader], take the following steps:
Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript
Elazar Broad also wrote into us the other day and provided a GPO that can be used to disable JavaScript for Adobe Acrobat [Reader]. We have not tested it but you can grab it by clicking here*. Basically these are the keys of interest (from HKEY_CURRENT_USER):
Adobe Acrobat Reader:
Software\Adobe\Acrobat Reader\x.0\JSPrefs
Adobe Acrobat:
Software\Adobe\Adobe Acrobat\x.0\JSPrefs
Setting the DWORD "bEnableJS" to 0 will disable JavaScript...
Details Released
We knew it would not take too long - the details of the vulnerable function and enough information to potentially recreate the exploit have now been published publicly... Expect that a wider set of attackers will now start using this exploit in the near future before the patch is released. In other words... DISABLE JAVASCRIPT and patch as soon as it becomes available!"
* http://www.shadowserver.org/wiki/uploads/Calendar/adobe.txt

- http://www.kb.cert.org/vuls/id/905281
Last Updated: 2009-02-23

 

[Flash Player v10.0.22.87 released]

FYI...

Flash Player v10.0.22.87 released
- http://www.adobe.com/support/security/bulletins/apsb09-01.html
Release date: February 24, 2009
Vulnerability identifier: APSB09-01
CVE number: CVE-2009-0519, CVE-2009-0520, CVE-2009-0522, CVE-2009-0114, CVE-2009-0521
Platform: All Platforms...
Adobe categorizes this as a critical update and recommends affected users upgrade to version 10.0.22.87*...
* http://www.adobe.com/go/getflash -or- http://get.adobe.com/flashplayer/otherversions/
For users who cannot update to Flash Player 10, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.159.0, which can be downloaded from the following link**...
** http://www.adobe.com/go/kb406791

Version test for Adobe Flash Player
- http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_15507

- http://secunia.com/advisories/34012/
Release Date: 2009-02-25
Critical: Highly critical
Impact: Security Bypass, Exposure of sensitive information, Privilege escalation, System access
Where: From remote
Solution Status: Vendor Patch...
Solution: Apply vendor updates...
Flash Player 9.x: Update to version 9.0.159.0.
http://www.adobe.com/go/kb406791
Flash Player 10.0.12.36 and prior: Update to version 10.0.22.87.
http://www.adobe.com/go/getflash
Flash Player 10.0.12.36 and prior (network distribution): Update to version 10.0.22.87.
http://www.adobe.com/licensing/distribution
Flash Player 10.0.15.3 and prior for Linux: Update to version 10.0.22.87.
http://www.adobe.com/go/getflash
AIR 1.5: Update to version 1.5.1.
http://get.adobe.com/air
Flash CS4 Professional: Update to version 10.0.22.87.
http://www.adobe.com/support/flashplayer/downloads.html#fp10
Flash CS3 Professional: Update to version 9.0.159.0.
http://www.adobe.com/support/flashplayer/downloads.html#fp9
Flex 3: Update to version 10.0.22.87.
http://www.adobe.com/support/flashplayer/downloads.html#fp9 ...

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0114
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0519
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0520
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0521
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0522
Last revised: 02/27/2009