Emergency Reader Update Expected Later this Month
11 August, 2010
Summary:
- This vulnerability affects: Adobe Flash Player, Flash Media Server, and ColdFusion for Windows, Mac, and UNIX computers
- How an attacker exploits it: Multiple vectors, such as enticing your users to a malicious website or sending malicious requests to your web server
- Impact: Various, in the worst case an attacker can execute code on your computer or server, potentially gaining control of it
- What to do: Install Adobe’s updates as soon as possible or let Adobe’s Updater do it for you
Exposure:
Yesterday, Adobe released three security bulletins describing 11 vulnerabilities (based on CVE numbers) that affect various Adobe Products, including Flash Player, Flash Media Server, and ColdFusion running on all platforms; many of them critical. We summarize these bulletins below.
- APSB10-16: Adobe Flash Player Security Update
Affects: Adobe Flash Player 10.1.53.64 and Adobe AIR 2.0.2.12610 and earlier, running on all platforms (Win, Mac, Linux, and Solaris)
Adobe Flash Player displays interactive, animated web content called Flash. A recent report from Secunia stats that 99% of Windows computers have Adobe Flash Player installed, so you users very likely have it. Adobe’s update fixes six security vulnerabilities in Flash Player, which they don’t describe in much technical detail. However, they do describe the general scope and impact of these flaws. In the worst case, if an attacker can lure one of your users to a malicious website, they could exploit some of these flaws to gain control of that user’s computer. We assume the attacker would only gain the privileges of the logged in user. However, since most Windows users have local administrator privileges, the attacker would likely gain full control of Windows machines.
Microsoft rating: Critical.
- APSB10-19: Adobe Flash Media Server Security Update
Affects: Adobe Flash Media Server (FMS) 3.5.3 and 3.0.5 and earlier, running on Windows and Linux platforms
Adobe Flash Media Server is a product specifically designed to help you stream Flash media over the web. According to Adobe, it suffers from four unspecified security vulnerabilities. Three of the vulnerabilities can lead to Denial of Service (DoS) situations, while the fourth could allow a remote attacker to execute code on your Flash Media Server. Unfortunately, Adobe doesn’t describe exactly how an attacker might exploit these vulnerabilities. We assume they’d have to send some sort of specially crafted request to the Flash Media Server. Adobe also doesn’t implicitly state what level of privilege an attacker’s code would execute with. However, they do assign a Critical rating to this flaw. Without these details we can only assume that an attacker could leverage it to gain full control of a Flash Media Server.
Microsoft rating: Critical.
- APSB10-18: Adobe ColdFusion Security Hotfix
Affects: Adobe ColdFusion 9.0.1, running on all platforms (Win, Mac, and UNIX)
Adobe ColdFusion is an application server that allows you to develop and deploy web applications. It suffers from an unspecified directory traversal vulnerability, which is essentially a class of vulnerability that allows an attacker to gain access to directories on a server that they should not have access to, thus potentially giving them access to sensitive information. Adobe’s bulletin shares very little about the scope of this flaw, so we’re unsure how easy or hard it is for attackers to leverage. They rate the hotfix as Important.
Microsoft rating: Important.
Besides the three full security bulletins, Adobe also released an early bulletin announcing an upcoming Adobe Reader update that they plan to release later this month. Among other things, this update will include a fix for a PDF related vulnerability that a researcher named Charlie Miller disclosed at the Blackhat 2010 security conference. We expect Adobe to release this final update on or around August 16, and will publish another alert when they do.
Solution Path
Adobe has released updates to correct the issues in all these products. You should download and deploy the corresponding updates immediately, or let the Adobe Software Updater program do it for you.
- APSB10-16: Adobe Flash Player Security Updates
- Download Flash Player 10.1.82.76 (or network distribution version)
- Download AIR 2.0.3
- Download Flash Professional CS5, Flash CS4 Professional and Flex 4 10.1.82.76
- Download Flash CS3 Professional and Flex 3 9.0.280
- APSB10-19: Adobe Flash Media Server Security Updates
- Download Flash Media Server version 3.5.4 or Flash Media Server version 3.0.6
- APSB10-18: Adobe ColdFusion Security Hotfix
- Install the ColdFusion update described in this technote
For All WatchGuard Users:
Attackers can exploit these flaws using diverse exploitation methods, many of which leverage normal HTTP traffic that most administrators must allow. Therefore, installing Adobe’s updates is your most secure course of action.
Status:
Adobe has released patches that correct these vulnerabilities.
References:
- APSB10-16: Adobe Flash Player Security Updates
- APSB10-19: Adobe Flash Media Server Security Updates
- APSB10-18: Adobe ColdFusion Security Hotfix
This alert was researched and written by Corey Nachreiner, CISSP.