Site icon Secplicity – Security Simplified

Adobe Patch Day: Updates for Reader X, Flash, and Shockwave Player

Corey Nachreiner

Severity: High

Summary:

Exposure:

Today, Adobe released three security bulletins describing vulnerabilities in many of their popular software packages, including Shockwave Player, Flash Player, and Reader and Acrobat X.

A remote attacker could exploit the worst of these flaws to gain complete control of your computer. We summarize these three Adobe security bulletins below:

Adobe Reader helps you view PDF documents, while Acrobat helps you create them. Since PDF documents are very popular, most users install Reader to handle them.

Adobe’s bulletin describes 20 vulnerabilities that affect Adobe Reader and Acrobat X 10.1.3 and earlier, running on Windows and Macintosh.  Adobe doesn’t describe the flaws in much technical detail, but does note that most of them involve buffer overflow and memory corruption issues. Almost all of them share the same scope and impact. If an attacker can entice you into opening a specially crafted PDF file, he can exploit any of these issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of your machine.

Adobe Priority Rating: 1 (Patch within 72 hours)

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

Adobe’s bulletin warns of five unspecified memory corruption vulnerabilities that affect Shockwave Player 11.6.5.635 and earlier for Windows and Macintosh. All five flaws share the same impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.

Adobe Priority Rating: 2 (Patch within 30 days)

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

Adobe’s bulletin describes a serious flaw that affects Flash Player 11.3.300.270 and earlier for all platforms. They don’t describe the  vulnerability (CVE-2012-1535) in detail, but they do describe its impact. If an attacker can lure you to a web site, or get you to open a document containing specially crafted Flash content, he could exploit this flaw to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

Adobe also warns that attackers are currently exploiting this flaw in the wild via malicious Word documents, which target Windows users. We highly recommend you patch Flash Player immediately

Adobe Priority Rating: 1 (Patch within 72 hours)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. Installing Adobe’s updates is your most secure course of action.

Status:

Adobe has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Exit mobile version