Adobe Partially Corrects Flash Zero Day in Reader and Acrobat

Severity: High

22 April, 2011

Summary:

• These vulnerabilities affects: Recent versions of Adobe Reader, and Acrobat
• How an attacker exploits it: In various ways, but most commonly by enticing your users into opening a Word or Excel document containing malicious Flash
• Impact: In the worst case, an attacker can execute code on your computer, potentially gaining control of it
• What to do: If you use these popular Adobe products, you should download and install their various updates as soon as possible.

Exposure:

Typically, Adobe’s quarterly Patch Day falls on the same Tuesday as Microsoft Patch Day (the second Tuesday of the month). However, a recent zero day Flash exploit circulating in the wild has encouraged Adobe to release an out-of-cycle patch early.

Yesterday, Adobe released updates for Reader and Acrobat to fix an unpatched Flash vulnerability, which attackers are exploiting in the wild. Since the flaw lies within a Flash component that ships with many Adobe products, it affects Reader and Acrobat as well. I mentioned this flaw already in a post a week or so ago.

As usual, Adobe doesn’t describe this flaw in any technical detail. However, they do mention that the flaw lies within the authplay.dll Flash component, which has already been subject to a very similar  previous vulnerability. By enticing you into opening specially crafted, Word, Excel, or maybe even PDF documents, attackers can leverage this unspecified flaw to execute code on your computer, with your resources. As usual, if you are an administrator, it’s game over.

See Adobe’s APSB11-08 bulletin for more details about this update.

Solution Path:

Adobe has released updates for Reader and Acrobat to fix this flaw in some of their products. They fully patch Acrobat, however, they have not released a fix for Reader X for Windows. Adobe argues that Reader X’s default security settings should protect you from these attacks, so they do not plan to release the Reader X update for Windows till their normal patch day, next June.

If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you. 

• APSB11-08:
  • Adobe Reader 10.x
  • For Windows (coming in June)
  • For Mac
  • Adobe Reader 9.x
    • For Windows
    • For Mac
  • Adobe Acrobat
    • Standard and Pro for Windows
    • Pro Extended for Windows
    • Pro for Mac

For All WatchGuard Users:

Some of WatchGuard’s Firebox models allow you to prevent your users from downloading certain types of files via the web (HTTP) or email (SMTP, POP3). If you like, you can temporarily mitigate the risk of some of these vulnerabilities by blocking various Adobe and MS Office related files using your Firebox’s proxy services. Such files include, .DOC, .XLS,  .PDF, .SWF, .DIR, .DCR, and .FLV. That said, many websites rely on these files to display interactive content. Blocking them could prevent some sites from working properly. Furthermore, many businesses rely on these file types to share documents. Blocking them would affect legitimate files as well. For that reason, we recommend the updates above instead.

Nonetheless, if you choose to block some Adobe  and Office files, follow the links below for video instructions on using your Firebox proxy’s content blocking features to block files by their file extensions:

• Firebox X Edge running 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy

• Firebox X Core and X Peak running Fireware 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy?

Status:

Adobe has released updates to fix these vulnerabilities.

References:

• Adobe Reader Security Bulletin

This alert was researched and written by Corey Nachreiner, CISSP. (@SecAdept)