Adobe Drops Reader, Shockwave, and Flash Updates on Patch Day

Severity: High

10 February, 2011

Summary:

• These vulnerabilities affects: Recent versions of Adobe Reader, Acrobat, Shockwave, Flash, and ColdFusion
• How an attacker exploits it: In various ways, but most commonly by enticing your users into visiting a website containing malicious Flash, Reader, or Shockwave content
• Impact: In the worst case, an attacker can execute code on your computer, potentially gaining control of it
• What to do: If you use these popular Adobe products, you should download and install their various updates as soon as possible.

Exposure:

Sharing the same day as Microsoft’s Black Tuesday (the second Tuesday of the month), Adobe’s quarterly Patch Day often gets buried under the flood of Microsoft’s updates. Nonetheless, attackers have increasingly targeted flaws in 3rd party programs, which makes Adobes’ numerous patches just as important.

On Tuesday, Adobe released four security bulletins, which included updates to fix several security vulnerabilities in many of their popular applications. The affected software includes Reader, Acrobat, Shockwave Player, Flash Player, and Coldfusion. We summarize these four bulletins below.

• APSB11-01: Shockwave Update Fixes 21 Vulnerabilities
  

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

Adobe’s bulletin warns of 21 security vulnerabilitys that affect Shockwave Player 11.5.9.615 and earlier for Windows and Macintosh (as well as all earlier versions). Adobe’s bulletin doesn’t describe the flaws in much technical detail. It only describes the nature and basic impact of each flaw. For the most part, the flaws consist of unspecified memory corruption vulnerabilities. Though these flaws differ technically, most of them share the same general scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit many of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.
Adobe Severity: Critical

• APSB11-02 : Flash Update Corrects 13 Security Flaws
  

Adobe Flash Player displays interactive, animated web content called Flash. A recent report from Secunia stats that 99% of Windows computers have Adobe Flash Player installed, so you users very likely have it.

Adobe’s update fixes 13 security vulnerabilities in Flash Player (for Windows, Mac, Linux, and Solaris), which they don’t describe in much technical detail. However, they do describe the general scope and impact of these flaws. In the worst case, if an attacker can lure one of your users to a malicious website, they could exploit some of these flaws to gain control of that user’s computer. We assume the attacker would only gain the privileges of the logged in user. However, since most Windows users have local administrator privileges, the attacker would likely gain full control of Windows machines.
Adobe Severity: Critical

• APSB11-03: Reader Update Patches 29 Security Flaws

Adobe’s Reader bulletin describes 29 security vulnerabilities (number based on CVE-IDs) that affect Adobe Reader X and Acrobat X and earlier, running on Windows, Mac, and UNIX computers. The flaws differ technically, but consist mostly of various code execution flaws, which share the same general scope and impact. In the worst case, if an attacker can entice one of your users into downloading and opening a maliciously crafted PDF document (.pdf), he can exploit many of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Last year, we predicted that attackers would increasingly target third-party applications, like Adobe Reader. This prediction has proven true, with many confirming that Adobe Reader is the most exploited application by attackers. For those reasons, we highly recommend you download and install these Reader updates immediately.
Adobe Severity: Critical

• APSB11-04: ColdFusion Hotfix Corrects Five Vulnerabilities
  

Adobe ColdFusion is an application server that allows you to develop and deploy web applications.

According to Adobe, ColdFusion 9.0.1, running on all platforms (Win, Mac, and UNIX) suffers from five security vulnerabilities, the worst being a few Cross-Site Scripting (XSS) vulnerabilities that could potentially allow attackers to steal cookies or hijack sessions of users that visit your site. ColdFusion isn’t the most popular server out there, so I don’t expect many of our customers to be affected by these particular flaws.
Adobe Severity: Important

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you:

• APSB11-01: Upgrade to Shockwave 11.5.9.620
• APSB11-02: Upgrade to Flash 10.2.152.26
• APSB11-03:
  • Adobe Reader
    • For Windows
    • For Mac
    • Unix update expected Feb. 28
  • Adobe Acrobat
    • Standard and Pro for Windows
    • Pro Extended for Windows
    • 3D for Windows
    • Pro for Mac

• APSB11-04: Download and install the ColdFusion Hotfix

For All WatchGuard Users:

Some of WatchGuard’s Firebox models allow you to prevent your users from downloading certain types of files via the web (HTTP) or email (SMTP, POP3). If you like, you can temporarily mitigate the risk of some of these vulnerabilities by blocking various Adobe-related files using your Firebox’s proxy services. Such files include, .PDF, .SWF, .DIR, .DCR, and .FLV. That said, many websites rely on these files to display interactive content. Blocking them could prevent some sites from working properly. Furthermore, many businesses rely on PDF files to share documents. Blocking them would affect legitimate files as well. For that reason, we recommend the updates above instead.

Nonetheless, if you choose to block some Adobe files, follow the links below for video instructions on using your Firebox proxy’s content blocking features to block files by their file extensions:

• Firebox X Edge running 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy

• Firebox X Core and X Peak running Fireware 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy?

Status:

Adobe has released updates to fix these vulnerabilities.

References:

• Adobe Shockwave Player Security Bulletin
• Adobe Flash Player Security Bulletin
• Adobe Reader Security Bulletin
• Adobe ColdFusion Security Bulletin

This alert was researched and written by Corey Nachreiner, CISSP.

What did you think of this alert? Let us know at [email protected].

More alerts and articles: log into the LiveSecurity Archive.

Share This: