Severity: High
Summary:
- These vulnerabilities affect: Flash Player, Reader XI, and Acrobat XI (and Adobe Air)
- How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
- Impact: Various results; in the worst case, an attacker can gain complete control of your computer
- What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.
Exposure:
Today, Adobe released or updated two security bulletins that describe vulnerabilities in two of their popular software packages; Flash Player and Reader/Acrobat X.
A remote attacker could exploit the worst of these flaws to gain complete control of your computer. We summarize the Adobe security bulletins below:
- APSB14-01: Trio of Reader and Acrobat Memory Corruption Vulnerabilities
Adobe Reader helps you view PDF documents, while Acrobat helps you create them. Since PDF documents are very popular, most users install Reader to handle them.
Adobe’s bulletin describes three vulnerabilities that affect Adobe Reader and Acrobat XI 11.0.05 and earlier, running on Windows and Macintosh. Adobe doesn’t describe the flaws in much technical detail, but does note that they involve integer overflow and memory corruption issues. They all share the same scope and impact. If an attacker can entice you into opening a specially crafted PDF file, he can exploit any of these issues to execute code on your computer, with your privileges. If you have root or system administrator privileges, the attacker gains complete control of your machine.
Adobe Priority Rating: 1 (Patch within 72 hours)
- APSB14-02: Flash Player Code Execution Vulnerability
Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.
Adobe’s bulletin describes two serious flaws in Flash Player 11.9.900.170 and earlier for all platforms. They don’t describe the vulnerabilities in much technical detail, just mentioning that one allows you to “bypass security protections” and the other allows you to defeat Address Space Layout Randomization (ASLR), which is a memory obfuscation technique that some software uses to make it harder for attackers to exploit memory corruption flaws. They do, however, describe the flaws’ impacts. In the worst case, if an attacker can lure you to a web site, or get you to open documents containing specially crafted Flash content, he could exploit a combination of these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.
Adobe Priority Rating: 1 (Patch within 72 hours)
Solution Path:
Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you.
- APSB14-01:
- Adobe Reader XI 11.0.06
- Adobe Acrobat XI 11.0.06
- APSB14-02: Download the latest Flash Player
For All WatchGuard Users:
Attackers can exploit these flaws using diverse exploitation methods. Installing Adobe’s updates is your most secure course of action.
Status:
Adobe has released patches correcting these issues.
References:
This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).