Adobe Patch Day: Update for ColdFusion Zero Day and More

Corey Nachreiner

11 years ago

Severity: High

Summary:

These vulnerabilities affect: Adobe Reader and Acrobat, Flash Player, and ColdFusion
How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
Impact: Various results; in the worst case, an attacker can gain complete control of your computer
What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Yesterday, Adobe released three security bulletins describing vulnerabilities in Reader and Acrobat, Flash Player, and ColdFusion. A remote attacker could exploit the worst of these flaws to gain complete control of your computer. Attackers have been exploiting one of the ColdFusion issues in the wild, so we recommend you patch quickly.

The summary below details some of the vulnerabilities in these popular software packages.

APSB13-15: Multiple Reader and Acrobat Memory Corruption Vulnerabilities

Adobe Reader helps you view PDF documents, while Acrobat helps you create them. Since PDF documents are very popular, most users install Reader to handle them.

Adobe’s bulletin describes 27 vulnerabilities that affect Adobe Reader and Acrobat X 11.0.2 and earlier, running on any platform (Windows, Mac, Linux). Adobe’s alert only describes the flaws in minimal detail, but the majority of them involve memory corruption-related vulnerabilities, such as buffer overflows, integer overflows, use-after-free issues, and so on. For the most part, they share the same scope and impact. If an attacker can entice you into opening a specially crafted PDF file, he can exploit many of these issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of your machine.

Adobe Priority Rating: 2 (Patch within 30 days) for most, though 1 for Windows systems with 9.x and below

APSB13-14: Multiple Flash Player Memory Corruption Flaws

Adobe’s bulletin describes 13 vulnerabilities in Flash Player running on all platforms (including Linux and Android). More specifically, the flaws consist of various memory corruption flaws. If an attacker can lure you to a web site, or get you to open a document containing specially crafted Flash content, he could exploit these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

Adobe rates these flaws with their highest severity rating for Windows computers, but a lesser severity for Mac and Linux machines.

Adobe Priority Rating: 1 for Windows (Patch within 72 hours)

APSB13-13: Critical Zero Day ColdFusion Vulnerability Patched

Adobe ColdFusion is an application server that allows you to develop and deploy web applications. This bulletin fixes two serious vulnerabilities; one of which attackers are currently exploiting in the wild. We mentioned this zero day flaw in passing during last week’s security news video. Adobe’s bulletin doesn’t share many details, but the primary flaw is a remote code execution vulnerability. If you expose certain default ColdFusion directories, an attacker could exploit this flaw to execute code on you web server simply by sending specially crafted HTTP packets. Though not quite as bad, the second vulnerability allows attackers to remotely retrieve sensitive files from your server. Adobe rates these flaws Priority 1, so we highly recommend ColdFusion administrators update immediately–especially if you have public facing servers.

You can find a bit more detail about the zero day ColdFusion flaw in a security advisory Adobe released earlier this month.

Adobe Priority Rating: 1 (Patch within 72 hours)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you:

APSB13-15:
- Adobe Reader X 11.0.3
  - For Windows
  - For Mac
- Adobe Acrobat X 11.0.2
- Adobe Reader 9.5.4 for Linux
APSB13-14: Upgrade to the latest Flash Player (11.7.700.202 for Windows)
- Note: Android users should update via Google Play. Both Chrome and Internet Explorer (IE) 10 have Flash built in. You need to update these browsers separately. Find more details about the IE10 update here.
APSB13-13: Apply the corresponding ColdFusion hotfix. More details in this Adobe technote.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. However, WatchGuard’s XTM appliances can help in many ways. First, our IPS and AV services are often capable of detecting the malicious Flash or Reader files attackers are actually using in the wild. If you’d like, you can also configure our proxies to block Reader or Flash content. This, however, blocks both legitimate and malicious content. If you do want to block this Flash or Reader via the Web or email, see our manual for more details on how to configure our proxy policies’ content-filtering.

Status:

Adobe has released patches correcting these issues.

References:

Adobe Security Update APSB13-13
Adobe Security Update APSB13-14
Adobe Security Update APSB13-15

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)