Update Fixes Adobe Flash Zero Day; Reader Still Vulnerable

Summary:

• This vulnerability affects: Adobe Flash Player 10.0.45.2 and earlier, running on all platforms. Some flaws also affect Adobe AIR 1.5.3.9130
• How an attacker exploits it: By enticing your users to visit a website containing malicious Flash content (or into opening a PDF with an embedded Flash file)
• Impact: In the worst case, an attacker can execute code on your computer, potentially gaining control of it
• What to do: Download and install the latest version of Adobe Flash Player and Air

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash, often formatted as a Shockwave (.SWF) file. Adobe’s Flash Player ships by default with many web browsers, including Internet Explorer (IE). It also runs on many operating systems.

In a security bulletin released yesterday, Adobe warned of 32 vulnerabilities (based on CVE numbers) that affect Adobe Flash Player 10.0.45.2 for Windows, Mac, and Linux (as well as all earlier versions); many of them critical. Some of the flaws also affect Adobe Air 1.5.3.9130 as well. Adobe’s bulletin describes the flaws in bare minimum detail. However, it does warn that if an attacker can entice one of your users to visit a malicious website containing specially crafted Flash content, many of these unspecified vulnerabilities could be exploited to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC. If you use Adobe Flash Player in your network, we recommend you download and deploy the latest version throughout your network as soon as possible.

One of the flaws Adobe fixed with this update is a very recent zero day Flash flaw that researchers noticed attackers exploiting earlier this week. This flaw technically lies within how Flash handles specially malformed Flash files (SWF). However, it also affects Adobe Reader and Acrobat, since they ship with Flash components in order to parse Flash content embedded within PDF documents. Attackers can exploit this particular flaw either by enticing your users to a malicious website or by luring them into viewing a specially crafted PDF file with embedded Flash content. You can read more about this zero day flaw in Adobe’s early warning advisory or in this blog post, which contains deeper technical analysis of the flaw. As mentioned, this Flash update does fix this zero day vulnerability for Adobe Flash. However, it does not fix the flawed Flash component (authplay.dll) that ships with Adobe reader. That means, Reader uses are still susceptible to the PDF variant of this vulnerability. In their advisory, Adobe promises to release a Reader and Acrobat update on July 29th (earlier than their typical patch day). Until then, you should remain wary of unexpected PDF files, or follow the workaround mentioned below.

Solution Path

Adobe has released a new version of Flash Player and Air. Specifically:

• Flash Player 10.1.53.64
• Air 2.0.2.12610

If you use these products in your network, we recommend you download and deploy their updates as soon as possible.

Unfortunately, Adobe has not patched the Reader and Acrobat problem yet. They plan to do so on June 29th. Until then, we recommend you tell your users to remain suspicious of unexpected .PDF files. You can also use security devices, like your WatchGuard Firebox, to block .PDF files at your gateway. Finally, if you don’t mind preventing any Flash content from working within PDF files (which may result in some Reader crashes), you can delete the flawed authplay.dll component from your Reader directory. You can find details on how to do this in the “Mitigations” section of Adobe’s Reader advisory.

For All WatchGuard Users:

Some of WatchGuard’s Firebox models allow you to prevent your users from accessing Flash and PDF files (.SWF and .PDF) via the web (HTTP, HTTPS) or in emails (SMTP, POP3). If you like, you can somewhat mitigate the risk of this vulnerability by blocking .SWF and PDF files using your Firebox’s proxy services. However, many websites rely on Flash for interactive content, and blocking Flash prevents these sites from working properly. Note that many popular video streaming sites, such as YouTube and JibJab, deliver video using a Flash front end, so this technique may render many video websites unusable. Also, most businesses rely on PDF files quite regularly. So blocking them may not be an option for everyone.

Nonetheless, if you choose to block Flash  and PDF content, follow the links below for video instructions on using your Firebox proxy’s content blocking features to block .SWF and .PDF files by their file extensions:

• Firebox X Edge running 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy
• Firebox X Core and X Peak running Fireware 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy?

Status:

Adobe has released updates to fix these Flash and Air vulnerabilities. They expect to release an Reader and Acrobat patch on June 29.

References:

• Adobe Flash and Air Security Bulletin
• Adobe Flash, Reader, and Acrobat zero day advisory

This alert was researched and written by Corey Nachreiner, CISSP.