• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Update Fixes Adobe Flash Zero Day; Reader Still Vulnerable

June 11, 2010 By The Editor

Summary:

  • This vulnerability affects: Adobe Flash Player 10.0.45.2 and earlier, running on all platforms. Some flaws also affect Adobe AIR 1.5.3.9130
  • How an attacker exploits it: By enticing your users to visit a website containing malicious Flash content (or into opening a PDF with an embedded Flash file)
  • Impact: In the worst case, an attacker can execute code on your computer, potentially gaining control of it
  • What to do: Download and install the latest version of Adobe Flash Player and Air

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash, often formatted as a Shockwave (.SWF) file. Adobe’s Flash Player ships by default with many web browsers, including Internet Explorer (IE). It also runs on many operating systems.

In a security bulletin released yesterday, Adobe warned of 32 vulnerabilities (based on CVE numbers) that affect Adobe Flash Player 10.0.45.2 for Windows, Mac, and Linux (as well as all earlier versions); many of them critical. Some of the flaws also affect Adobe Air 1.5.3.9130 as well. Adobe’s bulletin describes the flaws in bare minimum detail. However, it does warn that if an attacker can entice one of your users to visit a malicious website containing specially crafted Flash content, many of these unspecified vulnerabilities could be exploited to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC. If you use Adobe Flash Player in your network, we recommend you download and deploy the latest version throughout your network as soon as possible.

One of the flaws Adobe fixed with this update is a very recent zero day Flash flaw that researchers noticed attackers exploiting earlier this week. This flaw technically lies within how Flash handles specially malformed Flash files (SWF). However, it also affects Adobe Reader and Acrobat, since they ship with Flash components in order to parse Flash content embedded within PDF documents. Attackers can exploit this particular flaw either by enticing your users to a malicious website or by luring them into viewing a specially crafted PDF file with embedded Flash content. You can read more about this zero day flaw in Adobe’s early warning advisory or in this blog post, which contains deeper technical analysis of the flaw. As mentioned, this Flash update does fix this zero day vulnerability for Adobe Flash. However, it does not fix the flawed Flash component (authplay.dll) that ships with Adobe reader. That means, Reader uses are still susceptible to the PDF variant of this vulnerability. In their advisory, Adobe promises to release a Reader and Acrobat update on July 29th (earlier than their typical patch day). Until then, you should remain wary of unexpected PDF files, or follow the workaround mentioned below.

Solution Path

Adobe has released a new version of Flash Player and Air. Specifically:

  • Flash Player 10.1.53.64
  • Air 2.0.2.12610

If you use these products in your network, we recommend you download and deploy their updates as soon as possible.

Unfortunately, Adobe has not patched the Reader and Acrobat problem yet. They plan to do so on June 29th. Until then, we recommend you tell your users to remain suspicious of unexpected .PDF files. You can also use security devices, like your WatchGuard Firebox, to block .PDF files at your gateway. Finally, if you don’t mind preventing any Flash content from working within PDF files (which may result in some Reader crashes), you can delete the flawed authplay.dll component from your Reader directory. You can find details on how to do this in the “Mitigations” section of Adobe’s Reader advisory.

For All WatchGuard Users:

Some of WatchGuard’s Firebox models allow you to prevent your users from accessing Flash and PDF files (.SWF and .PDF) via the web (HTTP, HTTPS) or in emails (SMTP, POP3). If you like, you can somewhat mitigate the risk of this vulnerability by blocking .SWF and PDF files using your Firebox’s proxy services. However, many websites rely on Flash for interactive content, and blocking Flash prevents these sites from working properly. Note that many popular video streaming sites, such as YouTube and JibJab, deliver video using a Flash front end, so this technique may render many video websites unusable. Also, most businesses rely on PDF files quite regularly. So blocking them may not be an option for everyone.

Nonetheless, if you choose to block Flash  and PDF content, follow the links below for video instructions on using your Firebox proxy’s content blocking features to block .SWF and .PDF files by their file extensions:

  • Firebox X Edge running 10.x
    • How do I block files with the FTP proxy?
    • How do I block files with the HTTP proxy?
    • How do I block files with the POP3 proxy?
    • How do I block files with the SMTP proxy
  • Firebox X Core and X Peak running Fireware 10.x
    • How do I block files with the FTP proxy?
    • How do I block files with the HTTP proxy?
    • How do I block files with the POP3 proxy?
    • How do I block files with the SMTP proxy?

Status:

Adobe has released updates to fix these Flash and Air vulnerabilities. They expect to release an Reader and Acrobat patch on June 29.

References:

  • Adobe Flash and Air Security Bulletin
  • Adobe Flash, Reader, and Acrobat zero day advisory

This alert was researched and written by Corey Nachreiner, CISSP.

Share This:

Related

Filed Under: Security Bytes Tagged With: Adobe, Zero day exploit

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations
  • Successfully Prosecuting a Russian Hacker

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use