Recently in Adobe Category

Updated: The Patch for Adobe Reader (9.3.1) is now available - one of the flaws CVE-2010-0188 was found by Microsoft's Research Team.

Adobe announced a number of updates yesterday out of their normal 3-month cycle: APSB10-06 addresses a critical flaw in Adobe Flash and AIR. APSB10-07 is the announcement for an Adobe Reader and Acrobat update that will come out next Tuesday. It applicable to Windows, MAC OS X and Unix and critical as well.

McAfee's CTO George Kurtz just published some deeper insight into the attacks against Google. According to him a 0-day vulnerability in Internet Explorer was used. Microsoft has just issued an advisory KB979352 acknowledging the vulnerability on all versions of Internet Explorer, except IE v5.

It looks as if the Adobe Reader 0-day was not directly involved, contrary to what we had assumed so far.

We will update this post when further information comes to our attention.

References:

• Wired post by Kim Zetter
• CNET News by Elinor Mills

Yesterday Adobe Systems updated its Reader product to fix a total of eight vulnerabilities. Out of the eight vulnerabilities, six allow remote code execution and are critical. One of the flaws addressed was CVE-2009-4324, the 0-day vulnerability which has had exploits in the wild since December 14 2009, roughly a month ago. This vulnerability is exploited by including malicious code in a PDF document and triggered by executing an embedded JavaScript program. The PDF can be delivered through e-mail or downloaded from a website, making it a fairly easy attack to execute. Interestingly enough it seems that this particular flaw was used in against Adobe itself as pointed out by Elinor Mills at CNET.

Adobe has introduced two interesting security tools in the last two releases of the Reader product - one is an integrated update mechanism that will eventually default to automatic and silent updates. This mechanism is currently in beta and being tested with part of the installed base. The second tool is a internal blacklist that allows hackers to disable specific JavaScript functions. Adobe recently provided guidance on how to mitigate the December 0-day by using this tool. Both tools are in their initial stages but look very promising.

The fixed versions are now Reader v9.3 and v8.2 . What is important for Adobe Reader v7 users to know is that v7 is now out of support (as of 12/28/2009 - see: http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#86) and is not being updated anymore with Security fixes. However, it is impacted by the December 0-day. IT administrators should take inventory of their v7 users and upgrade them to the current standard of v9.

References:

• Original Adobe Advisory
• Qualys Advisory - QID 116768
• Adobe Blog post on breach

Microsoft starts 2010 slowly - a single bulletin containing one vulnerability in the embedded OpenType Font (EOT) engine. Due to the memory model in Windows 2000 the vulnerability is critical on that version of the Windows Operating System, all others receive a low severity rating. The flaw can be exploited through any OpenType enabled application such as Internet Explorer, PowerPoint, Word, etc by viewing a webpage or a document. Users of Windows 2000 should upgrade as quickly as possible.

There are 2 significant releases from other vendors today:

• Oracle has released their quarterly Critical Patch Update today. It contains 25 fixes for 7 of their products, including application servers and database engine. The majority of the vulnerabilities are remotely exploitable without authentication and IT admins should be taking a close look at the exposure these products have in their networks. In general database engines should have no necessity to be connected to open networks, but the application servers are very likely exposed.
• Adobe is also publishing their quarterly patch - and it will address a vulnerability in Adobe Reader that was documented as being actively exploited in the wild since the week before Christmas. There are workarounds are available, the official recommendation is to blacklist the JavaScript function that is being exploited. Blacklisting is a capability introduced by Adobe in their last update to Adobe Reader v9 and v8 in October 2009 and might not be familiar to many IT admins yet. An alternative recommendation is to turn off JavaScript completely in Adobe Reader - JavaScript has played a major role in the exploitation of Adobe Reader in 2009, so this a good preventive and defensive measure. As this setting disables functionality potentially needed by users, IT admins need to evaluate their individual situations.
  
  This release is also introducing the new Adobe updater process, which will according to Brad Arkin's tweet come preconfigured for automatic, silent updates à la Google Chrome

Intevydis, a security research company in Russia has announced last week that they will publish server-based 0-day vulnerabilities for the next 3 weeks. The first two are live and have POC code for Sun Directory Server 7.0 and Tivoli Directory Server 6.2. We are monitoring these releases and will keep you updated on further development.

References:

• Microsoft Security Bulletin
• Qualys Security Advisory

Over the weekend Jericho published on the OSVDB blog an analysis of annual vulnerability numbers that Elinor Mills from CNET had written about on Thursday in her InSecurity Complex blog. Some of the numbers originated from Qualys and we were not specific enough on the exact scope. As Jericho speculated our numbers were indeed for a more narrow set of products - not for all of Adobe and Microsoft software, but specifically for Adobe Reader and Microsoft Office. Elinor has since updated the article.

The overall point that we are trying to make remains the same - patching such applications is being neglected by most IT admins and attackers have increasingly shifted their attention to exploiting vulnerabilities in them. On Friday Brad Arkin from Adobe stated that Adobe Reader as a cross operating system application has a bigger installed base than Microsoft Windows, which makes it a very attractive target to attack.

What is your opinion on why the number of vulnerabilities found in Adobe Reader have gone up in 2009? Did attackers first notice that there was a potential, started writing exploits and then security researchers followed up or was it the other way around?

I am looking forward for your comments...

Yesterday Adobe's PSIRT acknowledged a flaw in Adobe Reader in the handling of PDF documents that is being exploited in the wild. The flaw affects Adobe Reader under Windows, MAC OS X and Linux/Unix.Symantec identifies the attack as Trojan-Pidief.H.

The ISC's handler on duty Pedro Bueno posted additional information.

Stay tuned for more information about potential workarounds - some have suggested turning off JavaScript in Adobe Reader which we think is a best practice anyway, but we do not know whether this is helpful for this attack.

Update: according to the advisory turning off Javascript is the recommended workaround, and enabling DEP in newer version of Windows provides further protection.

Microsoft closes 2009 with its last regular patch release adding 6 bulletins bringing the year's total to 74. December's release is by our current standards a rather normal workload of 12 individual vulnerabilities. As expected Bulletin MS09-072 fixes the critical 0-day Internet Explorer vulnerability that was publicly disclosed just 3 weeks ago. Microsoft credits iDefense for the vulnerability, so it appears that they had been working on the issue already. Still Kudos to the team at Microsoft for the quick release. This patch is rated for immediate deployment as attackers are actively working on making the POC into a reliable exploit. The advisory further contains an additional 4 vulnerabilities, with 3 affecting Internet Explorer 8, including Windows 7. BTW, this is the only bulletin this month that affects Windows 7 and Windows 2008 R2.

Bulletin MS09-070 deals with remote code execution on Active Directory on Windows 2003 and 2008. This is rated as Important because it requires an attacker to be authenticated. If the attacker has credentials, an exploit can be used to execute code on the active directory server and impact core infrastructure of corporate environments - we recommend fixing it as quickly as possible after internal testing.

MS09-073 and MS09-074 address vulnerabilities in file formats for Word/Wordpad converters and MS-Project. Both allow remote code execution when users open specifically crafted files that can be received through e-mail or downloaded from a website. Install the patches as quickly as possible and review whether extended testing is necessary in your environment.

The 2 remaining bulletins MS09-069 and MS09-071 address the Windows operating system, one in the well-known LSASS component and the other in the Intenet Authentication Services (IAS). The LSASS is a resource consumption DOS only vulnerability and the IAS only affect Windows 2008 with MSCHAP v2 enabled. The exploitability index for both is 2 and we think these patches should be installed as necessary.

The highly critical vulnerability in IE6/7 with an exposure window to exploits of over 3 weeks without the availability of a patch, should put the task of getting users off IE6/7 on the top of IT admins New Year's resolutions for 2010. They have to be migrated to a more modern browser, with the most viable options being IE8 with its well known patching mechanism or Firefox 3 with its more aggressive patching schedule.

Outside of the direct Microsoft realm, Adobe will release an update for a critical Flash vulnerability that we recommend installing right away.

References:

• Microsoft Security Bulletin
• Qualys Security Advisory

October's 2009 Microsoft Patch Tuesday is a massive release with 13 advisories covering 34 vulnerabilities. 2 advisories address last month's 0-day vulnerabilities - SMBv2 and FTP for IIS in a very quick turn-around. However another 6 vulnerabilities are tagged as having information disclosed publicly before today's patch release. Of the total set of vulnerabilities a full 22 are of critical severity and should be addressed as quickly as possible. A large selection of software is affected: all versions of Windows (including Windows 7), Windows Media Player, Office and also Silverlight - Microsoft's new rich media development tool. Internet Explorer also receives an update for 2 critical vulnerabilities - one of them disclosed at the Black Hat Security conference.

MS09-054 is a fix for critical vulnerabilities in all versions of Internet Explorer and interestingly can also affect non-Microsoft software - namely Firefox the browser from Mozilla. The Microsoft .Net runtime installs a plug-in into Firefox that allows XAML Browser Applications (XABP) to be launched through Firefox and serves as a conduit to the vulnerable component of Windows.

The biggest set of vulnerabilities this month is addressed by MS09-062, which fixes 8 flaws in the GDI+ graphics library. This library is widely used in applications as diverse as Microsoft Office, Visual Studio development tools, SQL Server and even Forefront Security Client.

Another set of 2 vulnerabilities disclosed at Black Hat (video presentation here and here - worth watching) is addressed by MS09-056. It provides a fix to the CryptoAPI library and the much talked about "Null prefix certificate" which allows for the impersonation of an arbitrary SSL certificate by embedding a NULL character at the right spot in the certificate request. Earlier this month a certificate was leaked to the full disclosure mailing list that impersonated www.paypal.com. The vulnerability is rated only as "important", because it does not allow the attacker to take over the machine, but it can be used to steal the user's credentials to any web site.

Important: Adobe released their patch for Adobe Reader, the popular PDF viewer. Adobe Reader versions 7, 8 and 9 are vulnerable on all versions Windows and Mac OS X. Adobe had acknowledged the existence of exploits focused on v9 and Windows last week. This is a critical update that should be applied as soon as possible.

References:

• Microsoft Security Bulletin
  
• Qualys Security Alert
  

The SANS Institute just published the Top Cyber Security Risks Report for the first half of 2009. In this report TippingPoint, SANS and Qualys collaborated using attack, vulnerability and forensics data to provide the latest trends in the security field.

Enterprise IT administrators and tech savvy computer end users alike will find interesting information that will help them secure their computers against current threats in the typical software installed on their machines, such as Adobe Reader and Flash, Apple QuickTime, Microsoft Office and Sun Java. The report clearly demonstrates a lag in installing security patches to these productivity applications, despite the attention they get in the press and from the security community. Since all of them are widely installed in businesses, we advise organizations to treat them with the same attention as OS and network vulnerabilities patches and to include them in their regular patching process.

Yesterday the Mozilla foundation announced on their security blog that Firefox will start checking for outdated Flash plug-ins. This is a great way of improving the security of web browsers, Flash is often used by attackers to exploit client machines and unfortunately notoriously difficult to update, requiring (on Windows) different update packages for Internet Explorer and all other browsers.

Now we just need to convince Hillary Clinton to let the Department of State use Firefox.



As you can see this worked fine for me on my Mac under Firefox 3.0.14

This has been an exciting week in the security space, first Adobe and and now Microsoft have announced that they will deliver out-of-band patches next week:

• Adobe: has a problem in the Flash component and there are known instances of attacks in the wild using PDF documents as an entry point (these were detected first) and also word of the standard drive-by variety.
• Microsoft: will address a problem on Tuesday with a patch for Visual Studio and Internet Explorer

Both vulnerabilities are rated critical and are found in very common software components - all versions of IE (6,7 and 8) are vulnerable, while Adobe says that updates will be shipped for Flash 9 and 10 and also Adobe Reader 9. IT administrators should prepare for a quick turnaround.

June's Patch Tuesday is generating major workload for IT administrators. Microsoft released their biggest number of patches in recent memory, not only for Windows systems, but also for their Mac Office suite. Adobe has patches for their Reader product for Windows, Mac and Unixes and Apple released a production version of Safari 4 for Mac OS X and Windows.

Microsoft's 10 bulletins patch a total of 31 vulnerabilities, extending to almost all of their products on both servers and workstations. Most urgent on the server side are MS09-018 for the Active Directory vulnerabilities and MS09-020 for the IIS/WebDAV vulnerabilities, as both are categorized as critical and have the highest rating (Consistent exploit code likely) in the Microsoft exploitability index. MS09-022 - Windows Print Spooler is rated critical as well, affects both servers and workstations and so has a higher exposure potential than the other server based vulnerabilities. MS09-25 brings 4 updates for the Windows base operating system kernels and even the new Vista and 2008 versions are affected by 3 of them.

On the workstation side, beyond MS09-022 and MS09-025 we have the updates for Internet Explorer, Word, Excel and Windows Search. MS09-019 has patches for 8 IE vulnerabilities for all versions from IE5 to IE8 - however it is interesting to note that IE8 is only affected by a single vulnerability, which was recently disclosed at the CanSecWest conference in the Pwn2Own contest sponsored by TippingPoint's ZDI.

As expected we did not see a patch for DirectShow vulnerability, acknowledged by Microsoft 10 days ago in KB971778. While they have the patch it is still undergoing Quality Assurance and Stability testing. For Macintosh users, Microsoft provided the patch for last month's disclosed vulnerabilities - MS09-017 for PowerPoint. Both users of Office 2004 and Office 2008 are advised to upgrade to fix a Remote Code execution issue.

As Adobe had announced previously they also published their quarterly patches this 2nd Tuesday of the month. Currently we see that a patch has been released, but there is no further detail available as to the vulnerabilities covered.

Update: The Adobe advisory is out and it shows a total of 14 vulnerabilities. The patch covers Adobe Reader on Windows and Macintosh. Unix users will have to wait until June 16th to get their fixes.

References:

• Qualys Security Alert

http://www.youtube.com/watch?v=BpD-I3M9pfw&hd=1

Microsoft's May Security Bulletin contains a single advisory for PowerPoint in Microsoft Office (MS09-017). It addresses 14 distinct vulnerabilities, including the 0-day vulnerability that was identified in the beginning of April 2009. While the vulnerabilities rank only as important on most versions of Microsoft Office, they all categorized as "remote code execution" and have a low exploitability index, meaning exploits are relatively easy to write and can be expected to be used soon in attacks.

One of the mentioned workarounds for CVE-2009-0556 , the 0-day vulnerability patched in this advisory is installing MOICE (KB937696). MOICE stands for "Microsoft Office Isolated Conversion Environment," a toolset that sanitizes Office documents when opened through browsing and email by removing potentially dangerous code. It has been available since May 2007 and is cited as a work-around in eight of Microsoft's 78 advisories in 2008. MOICE is an interesting tool, used to reduce the risk produced by the increasing number of file format vulnerabilities. Its limitation is that it only works with Office 2003 and 2007; Office 2000 and Office XP are not supported.

In addition to the Microsoft patches both Adobe and Apple released their equivalent of "Patch Tuesday" advisories. Adobe fixed a recent critical 0-day vulnerability in their Acrobat and Reader product lines. Compared to their February patch for a known 0-day, this time around they reacted much faster and published patches for Windows, Mac OS X and Unix simultaneously. Adobe software is widely installed and according to statistics from F-Secure PDF based file exploits are on the rise - 49% for the first 4 months of 2009 compared to 28% in 2008.

Apple's patches address a variety of critical issues in OS X and the Safari browser. The advisory for OS X addresses over 40 vulnerabilities and the Safari advisory applies to both OS X and Windows.

References:

• Qualys Security Alert
  

For the 2nd time in 2009 Adobe has to deal with a 0-day announcement. Securityfocus BID 34736 has the exploit code, which should be straightforward for attackers to incorporate into their existing "outreach" mechanisms. Once again the JavaScript implementation in Adobe Reader is the culprit and Adobe officially recommends turning off JavaScript as a work-around, until a patch becomes available. While I expect that attacks will focus on the Windows platform, the vulnerability is truly cross-platform and affects Windows, Macs and Linux. File format vulnerabilities of this kind represent a significant attack vector, but they continue to be neglected by IT administrators. Our ongoing analysis of the previous Adobe vulnerability APSA09-01 (released February 2009, patch available on March 10 as shown by the red line in the graph) shows no significant reduction in the number of exploitable machines.



If this trend continues to persist for the Adobe Reader vulnerabilities, which it has in all 2008 and as demonstrated in Laws 2.0, attackers don't need to rush anymore, they can take their time in figuring out the best way to get an infected PDF file into their victims.

Yesterday, on 3/24 Adobe delivered the last of their patch set for the critical Adobe Reader and Acrobat vulnerability that has garnered plenty of attention in the past month. Two weeks ago the patch was for v9, last week's was for v8 and v7 and this week the Linux and Unix population were taken care of. And now we are fully covered, except that nobody seems to care! Our stats fail to show significant traction for this vulnerability, which is different from what we normally see in high profile vulnerabilities (red lines denote availability of the patch week 1 and week 2):

Since its initial announcement we have seen overall high occurrence numbers for this vulnerability, comparable only to a critical Microsoft Windows or Office vulnerabilities. I believe that for the following number of reasons we have not seen a downward trend yet:

• The patch was initially limited to Adobe Reader and Acrobat v9, while the vulnerability exists in v7,8 and 9
• There does not seem to be an working automatic update mechanism. My Adobe Reader v9 has been sitting running idly fo over a week, even though automatic updates were enabled in the Preferences section
• This is not a vulnerability by an OS vendor and thus is flying under the radar

This vulnerability requires all our attention; exploits have been around for over 2 months and are readily available to all malware writers. So patch now ! In addition turn off JavaScript in Adobe Reader if you don't need it in your line of business.Organizations can also evaluate alternatives to Acrobat (search for "adobe reader pdf alternatives" in your favorite search engine) that are potentially less exposed targets, but shop around a bit as some of them have their own flaws and active exploits. I have been using such an alternative for the last 2 weeks and have not encountered any compatibility problems in my usage - reading simple PDF documents.

References:

• Foxit PDF Reader exploit in the wild
• Foxit fixes security flaw rapidly

Yesterday, one day ahead of the initial schedule Adobe released a patch for a critical vulnerability in Adobe Reader 9. Patches for v8 and v7 are expected next week, a version for Unix in another 2 weeks. The vulnerability (APSA09-01) can be used by an attacker to take control of the affected system.  Targeted exploits had been reported by a number of security companies (Symantec, McAfee) in February.

Adobe was first notified of the problem in January and has been working for the last 2 months to develop and test the patch and is finally ready to get it out to its users. According to our data Adobe Reader is a widely installed software package and I would expect that most PCs have a copy of it. 2 months is a rather long time to address the issue and it makes me wonder whether Adobe has a setup to react to security flaws, without going through normal product cycles. Vulnerabilities of such magnitude need to be handled out-of-band, through a dedicated team that has the resources to quickly develop, test and publish the fix.

If you are still not convinced that this is a highly critical security flaw, I suggest that you take a look at Didier Stevens's blog, where he demonstrates in a video a number of ways to infect a vulnerable machine by just looking at an infected document and another way that uses the Windows Indexing Service to run the exploit and give control of the machine to the attacker. This latter one requires no user action at all.

Apparently disabling JavaScript is/was a partial work-around for the vulnerability. Given that JavaScript in Adobe Acrobat has its own share of vulnerabilities in the past, it seems reasonable to turn it off by default. I have now been running without JavaScript in my Adobe Reader for months and I have not noticed any adverse effects in my typical office oriented usage. In my opinion this is now becoming a best practice security setting, that should only be relaxed based on end-user needs, for example for online form usage or workflow automation.

We will monitor closely the adoption of the patch, however considering that so far my Adobe Reader has not prompted me to upgrade my software I am doubtful the adoption will be quick enough. Stay tuned...


References:

• Adobe Advisory APSB09-03
  
• Didier Steven's Blog - March 4th: contains the video referenced
• Didier Steven's Blog - March 9th: Windows Indexing Service exploit
  

Last week Thursday, February 19 Adobe released an advisory notifying its users of a critical vulnerability in Adobe Reader and Adobe Acrobat version 9 and earlier. The vulnerability can be used by an attacker to take control of the affected system.  Targeted exploits have been reported by a number of security companies (Symantec, McAfee) and the US-CERT has covered the vulnerability in Security Alert TA09-051A. In our QualysGuard product we detect the flaw as a zero day vulnerability - Id: 116234 Adobe Acrobat and Adobe Reader Buffer Overflow (APSA09-01).
 
Adobe expects to release a patch by March, 11th. In the interim, one can disable JavaScript within Adobe Reader as a work-around.
 
This is not the first time that the JavaScript component of Adobe Acrobat has been the subject of a vulnerability advisory. In fact there were multiple occurrences in 2008,  in November  Acrobat 8 had a JavaScript vulnerability, as well as in June and in May of 2008.
 
I have been running without JavaScript in my Adobe Reader for months and I have not noticed any adverse effects in my typical office oriented usage. Should this be the default behavior for Acrobat? In my opinion this is now becoming a best practice security setting, that should only be relaxed based on end-user needs.

To help IT administrators in verifying this configuration setting,  we are providing a check within our Policy Compliance product - "Adobe Reader JavaScript shall be disabled"

References:

• February 2009 Adobe Advisory
• US CERT Security Alert
• Phishlabs Analysis