Severity: High
22 April, 2011
Summary:
- These vulnerabilities affects: Recent versions of Adobe Reader, and Acrobat
- How an attacker exploits it: In various ways, but most commonly by enticing your users into opening a Word or Excel document containing malicious Flash
- Impact: In the worst case, an attacker can execute code on your computer, potentially gaining control of it
- What to do: If you use these popular Adobe products, you should download and install their various updates as soon as possible.
Exposure:
Typically, Adobe’s quarterly Patch Day falls on the same Tuesday as Microsoft Patch Day (the second Tuesday of the month). However, a recent zero day Flash exploit circulating in the wild has encouraged Adobe to release an out-of-cycle patch early.
Yesterday, Adobe released updates for Reader and Acrobat to fix an unpatched Flash vulnerability, which attackers are exploiting in the wild. Since the flaw lies within a Flash component that ships with many Adobe products, it affects Reader and Acrobat as well. I mentioned this flaw already in a post a week or so ago.
As usual, Adobe doesn’t describe this flaw in any technical detail. However, they do mention that the flaw lies within the authplay.dll Flash component, which has already been subject to a very similar previous vulnerability. By enticing you into opening specially crafted, Word, Excel, or maybe even PDF documents, attackers can leverage this unspecified flaw to execute code on your computer, with your resources. As usual, if you are an administrator, it’s game over.
See Adobe’s APSB11-08 bulletin for more details about this update.
Solution Path:
Adobe has released updates for Reader and Acrobat to fix this flaw in some of their products. They fully patch Acrobat, however, they have not released a fix for Reader X for Windows. Adobe argues that Reader X’s default security settings should protect you from these attacks, so they do not plan to release the Reader X update for Windows till their normal patch day, next June.
If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you.
For All WatchGuard Users:
Some of WatchGuard’s Firebox models allow you to prevent your users from downloading certain types of files via the web (HTTP) or email (SMTP, POP3). If you like, you can temporarily mitigate the risk of some of these vulnerabilities by blocking various Adobe and MS Office related files using your Firebox’s proxy services. Such files include, .DOC, .XLS, .PDF, .SWF, .DIR, .DCR, and .FLV. That said, many websites rely on these files to display interactive content. Blocking them could prevent some sites from working properly. Furthermore, many businesses rely on these file types to share documents. Blocking them would affect legitimate files as well. For that reason, we recommend the updates above instead.
Nonetheless, if you choose to block some Adobe and Office files, follow the links below for video instructions on using your Firebox proxy’s content blocking features to block files by their file extensions:
- Firebox X Edge running 10.x
- Firebox X Core and X Peak running Fireware 10.x
Status:
Adobe has released updates to fix these vulnerabilities.
References:
This alert was researched and written by Corey Nachreiner, CISSP. (@SecAdept)
Hmm it looks like your blog ate my first comment (it was extremely long) so I guess I’ll just sum it up what I had written and say, I’m thoroughly enjoying your blog.
I as well am an aspiring blog blogger but I’m still new to everything. Do you have any suggestions for beginner blog writers? I’d certainly appreciate it.