Severity: High
21 March, 2011
Summary:
- These vulnerabilities affects: Recent versions of Adobe Reader, Acrobat, and Flash Player
- How an attacker exploits it: In various ways, but most commonly by enticing your users into visiting a website containing malicious Flash or Reader content
- Impact: In the worst case, an attacker can execute code on your computer, potentially gaining control of it
- What to do: If you use these popular Adobe products, you should download and install their various updates as soon as possible.
Exposure:
Typically, Adobe’s quarterly Patch Day falls on the same Tuesday as Microsoft Patch Day (the second Tuesday of the month). However, a recent zero day Flash exploit circulating in the wild has encouraged Adobe to release a few out-of-cycle patches early. Today, Adobe released two security bulletins that fix a zero day Flash vulnerability in Reader, Acrobat, and Flash Player, running on all platforms (including Android).
Though the two bulletins affect different software, they both fix the same core Flash related vulnerability that we described in our earlier WatchGuard Security Center post. As usual, Adobe doesn’t describe this zero day flaw in any technical detail. However, they do mention that the flaw lies within the authplay.dll component, which all three vulnerable products use. By enticing one of your users to visit a web site or download a PDF file containing malicious flash content, an attacker could leverage this flaw to execute code with that users privileges. If your users have administrative or root privileges on the victim platform, the attacker would gain complete control.
As was the case during our first post, attackers have been exploiting this flaw in the wild (even before Adobe knew it existed). If you use the affected software (as most users do), we highly recommend you install Adobe’s updates immediately.
For more details about these update, see Adobe’s bulletins below:
Solution Path:
Adobe has released Reader, Acrobat, and Flash Player updates to fix this flaw. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you. Note: Adobe has not yet released a Reader X update for this vulnerability, since Reader X’s default sand-boxing technology should protect you from this flaw by default.That said, we do expect a Reader X update at a later date.
- APSB11-05:
- Flash Player 10.2.153.1
- Flash Player 10.2.156.12 for Android <= (link only works from Android phone)
- Google Chrome (w/Flash 10.2.154.25)
- AIR 2.6
- APSB11-06:
- Adobe Reader
- Adobe Acrobat
For All WatchGuard Users:
Some of WatchGuard’s Firebox models allow you to prevent your users from downloading certain types of files via the web (HTTP) or email (SMTP, POP3). If you like, you can temporarily mitigate the risk of some of these vulnerabilities by blocking various Adobe-related files using your Firebox’s proxy services. Such files include, .PDF, .SWF, .DIR, .DCR, and .FLV. That said, many websites rely on these files to display interactive content. Blocking them could prevent some sites from working properly. Furthermore, many businesses rely on PDF files to share documents. Blocking them would affect legitimate files as well. For that reason, we recommend the updates above instead.
Nonetheless, if you choose to block some Adobe files, follow the links below for video instructions on using your Firebox proxy’s content blocking features to block files by their file extensions:
- Firebox X Edge running 10.x
- Firebox X Core and X Peak running Fireware 10.x
Status:
Adobe has released updates to fix these vulnerabilities.
References:
This alert was researched and written by Corey Nachreiner, CISSP. (@SecAdept)