Recently in Adobe Category

Today Adobe published an out-of-band update APSB10-17 for a 0-day vulnerability published during Charlie Miller's BlackHat talk.

The vulnerability is critical and can be used to take control of the targeted computer and should be addressed as soon as possible.

Adobe credits Tavis Ormandy for the discovery of the vulnerability. It seems that Tavis reported the vulnerability to Adobe before Charlie's Black Hat presentation. This is an example that illustrates an effect that security researchers have long tried to call attention to: it is possible and seems to happen every once in a while that vulnerabilities are discovered independently, both by security researchers and/or malware writers. Tipping Point's ZDI initiative would be in a position to publish statistics on how often they have such an overlap.

The update also includes the update to Flash (Adobe Reader brings its own embedded Flash version) released last week - APSB10-016 and further improves the handling of vulnerability CVE-2010-1240, which was first addressed in June in APSB10-015.

A busy week - in addition to Microsoft August's Patch Tuesday which delivers a record setting 15 bulletins covering 35 vulnerabilities, Adobe has just released a Flash update and will be releasing a patch for a Adobe Reader 0-day vulnerability published a few weeks ago at Black Hat security conference.To help with this challenging patch workload, we have ranked the Microsoft bulletins into three distinct groups of updates, which can be addressed on different schedules.

IT admins should first tackle the updates that represent the biggest attack potential: end-users and internet browsing are at the subject of six bulletins, all of them of critical severity and four of them with an exploitability rating of "1", indicating that working exploits are expected within 30 days. MS10-053 has six direct fixes for Internet Explorer, while the ZDI submitted MS10-055 and MS10-052 address issues in media-plugins: MS10-055 for the Cinepak codec and MS10-052 for the MP3 file format. MS10-060 patches a critical .NET framework issue that can be exploited through web browsing/Silverlight and MS10-051 addresses a vulnerability in the Internet Explorer MSXML ActiveX component. MS10-049 deals with a client side vulnerability of the HTTPS protocol that can be triggered by a malicious HTTPS site. This and the previous MSXML ActiveX component are the bulletins in the group that are rated "2" on the exploitability scale (= harder to exploit). All of these updates should be applied as soon as possible.

A second group of updates has its focus on file format vulnerabilities. The most critical is MS10-056, a vulnerability in the RTF format in Microsoft Word 2007 and older. An attacker can craft a malicious file that triggers a remote code execution when opened by Word on the target computer. Users of Outlook 2007 installations need to pay special attention, since the preview pane in Outlook is configured by default to use Word to render the RTF format. This makes Outlook 2007 susceptible to an attack that does not even require the opening of the e-mail. Apply this update as quickly as possible. MS10-057 and MS10-050 provide fixes for Excel 2003 and earlier and Windows Movie Maker (a default component in Windows XP) file format vulnerabilities. Both have an exploitability rating of "1" and should be addressed as soon as possible.

MS10-058 deals with an interesting vulnerability. It is a located in the new TCP/IP stack for IPv6 under Vista, Windows 7 and 2008R2. While we believe that currently very few publicly facing network infrastructures have IPv6 enabled, this bulletin is important for them, because it is remotely attackable and few mitigations exist. It is a reminder that new OS components and applications are apt to introduce new attack vectors into networks. MS10-054 is a vulnerability in the SMB protocol; it requires read access to a share as well as attacker-controlled data on the target machine. The exploit here will most likely manifest itself as a local escalation of privilege attack.

The remainder of the August updates all address local flaws of the Windows Operating system family and are rated important as the attacker needs to be present on the target system to make use of them. MS10-047 is a Windows Kernel flaw, MS10-048 a flaw in the win32k.sys driver and MS10-059 fixes a problem in the tracing component of Windows.

Last week Microsoft released a bulletin for the 0-day flaw using the LNK filetype. If you have not done so yet, apply MS10-046 together with the first group of patches as desktop systems are at the highest risk of attack using the LNK vulnerability.

References:

• Microsoft Security Bulletin
• Qualys Security Alert
  

Adobe announced that they will publish an out-of-band update APSB10-17 for a 0-day vulnerability published during Charlie Miller's BlackHat talk.

Charlie Miller's BlackHat paper is a result of a collaboration with Prof. Dawn Song from UC Berkeley and a continuation of his fuzzing efforts first revealed at the CanSecWest conference. At the time the tools he used were CrashWrangler and !exploitable, but it seems that BitBlaze, the tool from Prof. Song's research group provides much better insight into exploitable application crashes.

Update:

• The "Launch" vulnerability still seems to be attackable according to some recent blogposts by security researchers.
• Didier Stevens publishes a work-around for the new attack in this blog post

Original:
Yesterday Adobe released its quarterly security update for Adobe Reader and Adobe Acrobat. Adobe anticipated the release by 2 weeks, because some of the vulnerabilities addressed are currently being exploited in the wild. The release fixes the zero-day vulnerability in the embedded Flash player that Adobe ships within the Reader product and addresses 15 other vulnerabilities.

The new Adobe Reader also improves the treatment for the high profile "Launch" vulnerability and introduces changes and default settings that neuter that attack.

All Adobe users should update immediately because exploits for the vulnerability have been reported by many industry sources.

References:

• Adobe PSIRT blog entry
• Didier Stevens blog with screen shots of the launch vulnerability

Today Adobe a new version of their Flash player, which fixes the 0-day announced last Friday plus another 30 plus vulnerabilities. We recommend installing immediately.The release for the corresponding 0-day in Adobe Reader is expected on June 29.

If you run Internet Explorer plus another browser (Chrome, Firefox,Safari,Opera or acombination) you have to install updates for both IE and the others. Here are the driect download links:

• Flash for Chrome/Firefox/Safari/Opera
• Flash for IE

On Friday Adobe announced a critical 0-day vulnerability for Adobe Flash that has been observed in active use in the wild. A successful exploit gives the attacker full control over the target machine, which can run Windows, Mac OS X, Linux and Solaris.

The vulnerability also affects Adobe Reader V9, that comes with an integrated Flash player, which is used to play Flash content embedded in PDF documents. Adobe Redare V8 is not affected.

Attack vectors are malicious websites and and infected PDF documents that can be received through e-mail or web download.

Although Adobe does not have a patch at the moment, users can evaluate Adobe's posted instructions for workarounds in the advisory itself.

References:

• Adobe PSIRT blog entry
• Visual of an sample exploit (via Mikko Hypponen)
• Symantec post with additional information
• Example exploit (via reversemode)

Last week Qualys was at Infosecurity Europe meeting customers and demoing the new QualysGuard Malware Detection service. We also gave a presentation on integrating Vulnerability and Patch data, which you can download from here.

Microsoft's patch release for April contains 11 bulletins covering 25 vulnerabilities. The bulletins address a wide array of operating systems and software packages, IT administrators with a good inventory of their installed base will have an easier time evaluating which machines need patches.

Microsoft patches 2 open 0-day vulnerabilities - MS10-020 for the SMBv2 Denial of Service vulnerability, only present on Windows 7 and Windows Server 2008 (KB977544) and MS10-022 for the F1 attack through Internet Explorer (KB981169). MS10-020 fixes other SMB vulnerabilities as well and is a critical update for all platforms.

The most critical bulletins this month are MS10-026, MS10-027 and MS10-019. MS10-026 addresses a DirectShow vulnerability that can be exploited through visualizing a media file which can lead to remote code execution. MS10-027 is a Windows Media Player Active X control vulnerability which can lead to similar results. Both are relatively easy to exploit and have a low exploitability index, however Windows 7 users are not affected by either of the vulnerabilities. MS10-019 addresses a flaw in the Windows Authenticode algorithm involved during the installation process of new software. The flaw allows for a downgrade from the current v2 Authenticode algorithm to the deprecated v1 algorithm. If an attacker follows this downgrade with an attack on v1 (a sophisticated multi-stage attack), he could pass off malicious install packages as legitimately signed by major manufacturers. This vulnerability has a exploit rating of difficult, meaning that even advanced attackers will take a while to come up with the necessary exploit code - still we recommend patching this during the normal cycle for all machines.

MS10-025 is a critical Windows Media Services vulnerability but only affects Windows 2000. Windows 2000 Server will have its extended Support retired in mid-July of this year and will then cease to receive security updates. Organizations that still use Windows 2000 need to evaluate a migration strategy.

The remaining bulletins are ranked as important and moderate - MS10-028 is a file format attack against Visio, which can result in remote code execution. MS10-023 is a similar attack against Microsoft Publisher. As these software packages are not widely installed a good inventory will be helpful in evaluating the exposure. MS10-021 is an interesting side effect created by registry linking. MS10-024 is a Denial of Service vulnerability in the SMTP server of Windows 2003-64bit only and MS10-029 an IPv6/IPv4 packet envelope vulnerability that can lead to information disclosure.

This is a big release for Microsoft, addressing a wide selection of software. IT administrators probably will not have all of the included software packages and configurations installed in their environment and therefore will need to install only a subset of the 11 bulletins.

In addition Adobe released their quarterly patches for Adobe Reader and Acrobat on Windows, Mac OS X and Unix. The update is critical and fixes multiple 15 vulnerabilities with a maximum exposure of "remote code execution".

References:

• SRD Blog post by Jonathan Ness/Andrew Roths @ MSRC Engineering with more details
• MSRC Blog post with Exploitability Index
• Information on the new Adobe updater

Today Microsoft released their advance notification for next week's Patch Tuesday. There will be 11 security bulletins (5 critical) affecting a range of Windows operating system components as well as Microsoft Office and Microsoft Exchange. This is a fairly large update and will keep system administrators busy.

Of particular interest is that Microsoft will fix 2 open 0-day vulnerabilities - the F1 attack through the Internet Explorer KB981169 and the SMBv2 Denial of Service vulnerability, only present on Windows 7 and Windows Server 2008 KB977544.

The 5 critical bulletins affect Windows 2000, XP, Vista, 2003, 2008 and Windows 7. An attacker can use these vulnerabilities to remotely execute code on the victim's machine and they should be addressed as quickly as possible.

An additional 5 security bulletins are rated as important and apply to Microsoft Office, Microsoft Exchange and Windows. If left un-patched, an attacker could execute code, cause a denial of service or obtain elevated privileges on the victim's machine. The remaining security bulletin is rated as Important.

Most of the patches require a machine reboot after installation.

Similar to past Patch Tuesdays, Windows 7 has less critical updates to install than the older operating systems versions, an indication that the newer version of Windows are more robust and secure out of the box.

In addition to the Microsoft patches, administrators will also have to pay attention to the security fixes coming out from Adobe for the Reader and Acrobat products. The Adobe update is rated as critical and a successful exploit will allow the attacker to take control of the target machine.

Updated: The Patch for Adobe Reader (9.3.1) is now available - one of the flaws CVE-2010-0188 was found by Microsoft's Research Team.

Adobe announced a number of updates yesterday out of their normal 3-month cycle: APSB10-06 addresses a critical flaw in Adobe Flash and AIR. APSB10-07 is the announcement for an Adobe Reader and Acrobat update that will come out next Tuesday. It applicable to Windows, MAC OS X and Unix and critical as well.

McAfee's CTO George Kurtz just published some deeper insight into the attacks against Google. According to him a 0-day vulnerability in Internet Explorer was used. Microsoft has just issued an advisory KB979352 acknowledging the vulnerability on all versions of Internet Explorer, except IE v5.

It looks as if the Adobe Reader 0-day was not directly involved, contrary to what we had assumed so far.

We will update this post when further information comes to our attention.

References:

• Wired post by Kim Zetter
• CNET News by Elinor Mills

Yesterday Adobe Systems updated its Reader product to fix a total of eight vulnerabilities. Out of the eight vulnerabilities, six allow remote code execution and are critical. One of the flaws addressed was CVE-2009-4324, the 0-day vulnerability which has had exploits in the wild since December 14 2009, roughly a month ago. This vulnerability is exploited by including malicious code in a PDF document and triggered by executing an embedded JavaScript program. The PDF can be delivered through e-mail or downloaded from a website, making it a fairly easy attack to execute. Interestingly enough it seems that this particular flaw was used in against Adobe itself as pointed out by Elinor Mills at CNET.

Adobe has introduced two interesting security tools in the last two releases of the Reader product - one is an integrated update mechanism that will eventually default to automatic and silent updates. This mechanism is currently in beta and being tested with part of the installed base. The second tool is a internal blacklist that allows hackers to disable specific JavaScript functions. Adobe recently provided guidance on how to mitigate the December 0-day by using this tool. Both tools are in their initial stages but look very promising.

The fixed versions are now Reader v9.3 and v8.2 . What is important for Adobe Reader v7 users to know is that v7 is now out of support (as of 12/28/2009 - see: http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html#86) and is not being updated anymore with Security fixes. However, it is impacted by the December 0-day. IT administrators should take inventory of their v7 users and upgrade them to the current standard of v9.

References:

• Original Adobe Advisory
• Qualys Advisory - QID 116768
• Adobe Blog post on breach

Microsoft starts 2010 slowly - a single bulletin containing one vulnerability in the embedded OpenType Font (EOT) engine. Due to the memory model in Windows 2000 the vulnerability is critical on that version of the Windows Operating System, all others receive a low severity rating. The flaw can be exploited through any OpenType enabled application such as Internet Explorer, PowerPoint, Word, etc by viewing a webpage or a document. Users of Windows 2000 should upgrade as quickly as possible.

There are 2 significant releases from other vendors today:

• Oracle has released their quarterly Critical Patch Update today. It contains 25 fixes for 7 of their products, including application servers and database engine. The majority of the vulnerabilities are remotely exploitable without authentication and IT admins should be taking a close look at the exposure these products have in their networks. In general database engines should have no necessity to be connected to open networks, but the application servers are very likely exposed.
• Adobe is also publishing their quarterly patch - and it will address a vulnerability in Adobe Reader that was documented as being actively exploited in the wild since the week before Christmas. There are workarounds are available, the official recommendation is to blacklist the JavaScript function that is being exploited. Blacklisting is a capability introduced by Adobe in their last update to Adobe Reader v9 and v8 in October 2009 and might not be familiar to many IT admins yet. An alternative recommendation is to turn off JavaScript completely in Adobe Reader - JavaScript has played a major role in the exploitation of Adobe Reader in 2009, so this a good preventive and defensive measure. As this setting disables functionality potentially needed by users, IT admins need to evaluate their individual situations.
  
  This release is also introducing the new Adobe updater process, which will according to Brad Arkin's tweet come preconfigured for automatic, silent updates à la Google Chrome

Intevydis, a security research company in Russia has announced last week that they will publish server-based 0-day vulnerabilities for the next 3 weeks. The first two are live and have POC code for Sun Directory Server 7.0 and Tivoli Directory Server 6.2. We are monitoring these releases and will keep you updated on further development.

References:

• Microsoft Security Bulletin
• Qualys Security Advisory

Over the weekend Jericho published on the OSVDB blog an analysis of annual vulnerability numbers that Elinor Mills from CNET had written about on Thursday in her InSecurity Complex blog. Some of the numbers originated from Qualys and we were not specific enough on the exact scope. As Jericho speculated our numbers were indeed for a more narrow set of products - not for all of Adobe and Microsoft software, but specifically for Adobe Reader and Microsoft Office. Elinor has since updated the article.

The overall point that we are trying to make remains the same - patching such applications is being neglected by most IT admins and attackers have increasingly shifted their attention to exploiting vulnerabilities in them. On Friday Brad Arkin from Adobe stated that Adobe Reader as a cross operating system application has a bigger installed base than Microsoft Windows, which makes it a very attractive target to attack.

What is your opinion on why the number of vulnerabilities found in Adobe Reader have gone up in 2009? Did attackers first notice that there was a potential, started writing exploits and then security researchers followed up or was it the other way around?

I am looking forward for your comments...

Yesterday Adobe's PSIRT acknowledged a flaw in Adobe Reader in the handling of PDF documents that is being exploited in the wild. The flaw affects Adobe Reader under Windows, MAC OS X and Linux/Unix.Symantec identifies the attack as Trojan-Pidief.H.

The ISC's handler on duty Pedro Bueno posted additional information.

Stay tuned for more information about potential workarounds - some have suggested turning off JavaScript in Adobe Reader which we think is a best practice anyway, but we do not know whether this is helpful for this attack.

Update: according to the advisory turning off Javascript is the recommended workaround, and enabling DEP in newer version of Windows provides further protection.

Microsoft closes 2009 with its last regular patch release adding 6 bulletins bringing the year's total to 74. December's release is by our current standards a rather normal workload of 12 individual vulnerabilities. As expected Bulletin MS09-072 fixes the critical 0-day Internet Explorer vulnerability that was publicly disclosed just 3 weeks ago. Microsoft credits iDefense for the vulnerability, so it appears that they had been working on the issue already. Still Kudos to the team at Microsoft for the quick release. This patch is rated for immediate deployment as attackers are actively working on making the POC into a reliable exploit. The advisory further contains an additional 4 vulnerabilities, with 3 affecting Internet Explorer 8, including Windows 7. BTW, this is the only bulletin this month that affects Windows 7 and Windows 2008 R2.

Bulletin MS09-070 deals with remote code execution on Active Directory on Windows 2003 and 2008. This is rated as Important because it requires an attacker to be authenticated. If the attacker has credentials, an exploit can be used to execute code on the active directory server and impact core infrastructure of corporate environments - we recommend fixing it as quickly as possible after internal testing.

MS09-073 and MS09-074 address vulnerabilities in file formats for Word/Wordpad converters and MS-Project. Both allow remote code execution when users open specifically crafted files that can be received through e-mail or downloaded from a website. Install the patches as quickly as possible and review whether extended testing is necessary in your environment.

The 2 remaining bulletins MS09-069 and MS09-071 address the Windows operating system, one in the well-known LSASS component and the other in the Intenet Authentication Services (IAS). The LSASS is a resource consumption DOS only vulnerability and the IAS only affect Windows 2008 with MSCHAP v2 enabled. The exploitability index for both is 2 and we think these patches should be installed as necessary.

The highly critical vulnerability in IE6/7 with an exposure window to exploits of over 3 weeks without the availability of a patch, should put the task of getting users off IE6/7 on the top of IT admins New Year's resolutions for 2010. They have to be migrated to a more modern browser, with the most viable options being IE8 with its well known patching mechanism or Firefox 3 with its more aggressive patching schedule.

Outside of the direct Microsoft realm, Adobe will release an update for a critical Flash vulnerability that we recommend installing right away.

References:

• Microsoft Security Bulletin
• Qualys Security Advisory

October's 2009 Microsoft Patch Tuesday is a massive release with 13 advisories covering 34 vulnerabilities. 2 advisories address last month's 0-day vulnerabilities - SMBv2 and FTP for IIS in a very quick turn-around. However another 6 vulnerabilities are tagged as having information disclosed publicly before today's patch release. Of the total set of vulnerabilities a full 22 are of critical severity and should be addressed as quickly as possible. A large selection of software is affected: all versions of Windows (including Windows 7), Windows Media Player, Office and also Silverlight - Microsoft's new rich media development tool. Internet Explorer also receives an update for 2 critical vulnerabilities - one of them disclosed at the Black Hat Security conference.

MS09-054 is a fix for critical vulnerabilities in all versions of Internet Explorer and interestingly can also affect non-Microsoft software - namely Firefox the browser from Mozilla. The Microsoft .Net runtime installs a plug-in into Firefox that allows XAML Browser Applications (XABP) to be launched through Firefox and serves as a conduit to the vulnerable component of Windows.

The biggest set of vulnerabilities this month is addressed by MS09-062, which fixes 8 flaws in the GDI+ graphics library. This library is widely used in applications as diverse as Microsoft Office, Visual Studio development tools, SQL Server and even Forefront Security Client.

Another set of 2 vulnerabilities disclosed at Black Hat (video presentation here and here - worth watching) is addressed by MS09-056. It provides a fix to the CryptoAPI library and the much talked about "Null prefix certificate" which allows for the impersonation of an arbitrary SSL certificate by embedding a NULL character at the right spot in the certificate request. Earlier this month a certificate was leaked to the full disclosure mailing list that impersonated www.paypal.com. The vulnerability is rated only as "important", because it does not allow the attacker to take over the machine, but it can be used to steal the user's credentials to any web site.

Important: Adobe released their patch for Adobe Reader, the popular PDF viewer. Adobe Reader versions 7, 8 and 9 are vulnerable on all versions Windows and Mac OS X. Adobe had acknowledged the existence of exploits focused on v9 and Windows last week. This is a critical update that should be applied as soon as possible.

References:

• Microsoft Security Bulletin
  
• Qualys Security Alert
  

The SANS Institute just published the Top Cyber Security Risks Report for the first half of 2009. In this report TippingPoint, SANS and Qualys collaborated using attack, vulnerability and forensics data to provide the latest trends in the security field.

Enterprise IT administrators and tech savvy computer end users alike will find interesting information that will help them secure their computers against current threats in the typical software installed on their machines, such as Adobe Reader and Flash, Apple QuickTime, Microsoft Office and Sun Java. The report clearly demonstrates a lag in installing security patches to these productivity applications, despite the attention they get in the press and from the security community. Since all of them are widely installed in businesses, we advise organizations to treat them with the same attention as OS and network vulnerabilities patches and to include them in their regular patching process.

Yesterday the Mozilla foundation announced on their security blog that Firefox will start checking for outdated Flash plug-ins. This is a great way of improving the security of web browsers, Flash is often used by attackers to exploit client machines and unfortunately notoriously difficult to update, requiring (on Windows) different update packages for Internet Explorer and all other browsers.

Now we just need to convince Hillary Clinton to let the Department of State use Firefox.



As you can see this worked fine for me on my Mac under Firefox 3.0.14

This has been an exciting week in the security space, first Adobe and and now Microsoft have announced that they will deliver out-of-band patches next week:

• Adobe: has a problem in the Flash component and there are known instances of attacks in the wild using PDF documents as an entry point (these were detected first) and also word of the standard drive-by variety.
• Microsoft: will address a problem on Tuesday with a patch for Visual Studio and Internet Explorer

Both vulnerabilities are rated critical and are found in very common software components - all versions of IE (6,7 and 8) are vulnerable, while Adobe says that updates will be shipped for Flash 9 and 10 and also Adobe Reader 9. IT administrators should prepare for a quick turnaround.

June's Patch Tuesday is generating major workload for IT administrators. Microsoft released their biggest number of patches in recent memory, not only for Windows systems, but also for their Mac Office suite. Adobe has patches for their Reader product for Windows, Mac and Unixes and Apple released a production version of Safari 4 for Mac OS X and Windows.

Microsoft's 10 bulletins patch a total of 31 vulnerabilities, extending to almost all of their products on both servers and workstations. Most urgent on the server side are MS09-018 for the Active Directory vulnerabilities and MS09-020 for the IIS/WebDAV vulnerabilities, as both are categorized as critical and have the highest rating (Consistent exploit code likely) in the Microsoft exploitability index. MS09-022 - Windows Print Spooler is rated critical as well, affects both servers and workstations and so has a higher exposure potential than the other server based vulnerabilities. MS09-25 brings 4 updates for the Windows base operating system kernels and even the new Vista and 2008 versions are affected by 3 of them.

On the workstation side, beyond MS09-022 and MS09-025 we have the updates for Internet Explorer, Word, Excel and Windows Search. MS09-019 has patches for 8 IE vulnerabilities for all versions from IE5 to IE8 - however it is interesting to note that IE8 is only affected by a single vulnerability, which was recently disclosed at the CanSecWest conference in the Pwn2Own contest sponsored by TippingPoint's ZDI.

As expected we did not see a patch for DirectShow vulnerability, acknowledged by Microsoft 10 days ago in KB971778. While they have the patch it is still undergoing Quality Assurance and Stability testing. For Macintosh users, Microsoft provided the patch for last month's disclosed vulnerabilities - MS09-017 for PowerPoint. Both users of Office 2004 and Office 2008 are advised to upgrade to fix a Remote Code execution issue.

As Adobe had announced previously they also published their quarterly patches this 2nd Tuesday of the month. Currently we see that a patch has been released, but there is no further detail available as to the vulnerabilities covered.

Update: The Adobe advisory is out and it shows a total of 14 vulnerabilities. The patch covers Adobe Reader on Windows and Macintosh. Unix users will have to wait until June 16th to get their fixes.

References:

• Qualys Security Alert

http://www.youtube.com/watch?v=BpD-I3M9pfw&hd=1

Microsoft's May Security Bulletin contains a single advisory for PowerPoint in Microsoft Office (MS09-017). It addresses 14 distinct vulnerabilities, including the 0-day vulnerability that was identified in the beginning of April 2009. While the vulnerabilities rank only as important on most versions of Microsoft Office, they all categorized as "remote code execution" and have a low exploitability index, meaning exploits are relatively easy to write and can be expected to be used soon in attacks.

One of the mentioned workarounds for CVE-2009-0556 , the 0-day vulnerability patched in this advisory is installing MOICE (KB937696). MOICE stands for "Microsoft Office Isolated Conversion Environment," a toolset that sanitizes Office documents when opened through browsing and email by removing potentially dangerous code. It has been available since May 2007 and is cited as a work-around in eight of Microsoft's 78 advisories in 2008. MOICE is an interesting tool, used to reduce the risk produced by the increasing number of file format vulnerabilities. Its limitation is that it only works with Office 2003 and 2007; Office 2000 and Office XP are not supported.

In addition to the Microsoft patches both Adobe and Apple released their equivalent of "Patch Tuesday" advisories. Adobe fixed a recent critical 0-day vulnerability in their Acrobat and Reader product lines. Compared to their February patch for a known 0-day, this time around they reacted much faster and published patches for Windows, Mac OS X and Unix simultaneously. Adobe software is widely installed and according to statistics from F-Secure PDF based file exploits are on the rise - 49% for the first 4 months of 2009 compared to 28% in 2008.

Apple's patches address a variety of critical issues in OS X and the Safari browser. The advisory for OS X addresses over 40 vulnerabilities and the Safari advisory applies to both OS X and Windows.

References:

• Qualys Security Alert
  

For the 2nd time in 2009 Adobe has to deal with a 0-day announcement. Securityfocus BID 34736 has the exploit code, which should be straightforward for attackers to incorporate into their existing "outreach" mechanisms. Once again the JavaScript implementation in Adobe Reader is the culprit and Adobe officially recommends turning off JavaScript as a work-around, until a patch becomes available. While I expect that attacks will focus on the Windows platform, the vulnerability is truly cross-platform and affects Windows, Macs and Linux. File format vulnerabilities of this kind represent a significant attack vector, but they continue to be neglected by IT administrators. Our ongoing analysis of the previous Adobe vulnerability APSA09-01 (released February 2009, patch available on March 10 as shown by the red line in the graph) shows no significant reduction in the number of exploitable machines.



If this trend continues to persist for the Adobe Reader vulnerabilities, which it has in all 2008 and as demonstrated in Laws 2.0, attackers don't need to rush anymore, they can take their time in figuring out the best way to get an infected PDF file into their victims.

Yesterday, on 3/24 Adobe delivered the last of their patch set for the critical Adobe Reader and Acrobat vulnerability that has garnered plenty of attention in the past month. Two weeks ago the patch was for v9, last week's was for v8 and v7 and this week the Linux and Unix population were taken care of. And now we are fully covered, except that nobody seems to care! Our stats fail to show significant traction for this vulnerability, which is different from what we normally see in high profile vulnerabilities (red lines denote availability of the patch week 1 and week 2):

Since its initial announcement we have seen overall high occurrence numbers for this vulnerability, comparable only to a critical Microsoft Windows or Office vulnerabilities. I believe that for the following number of reasons we have not seen a downward trend yet:

• The patch was initially limited to Adobe Reader and Acrobat v9, while the vulnerability exists in v7,8 and 9
• There does not seem to be an working automatic update mechanism. My Adobe Reader v9 has been sitting running idly fo over a week, even though automatic updates were enabled in the Preferences section
• This is not a vulnerability by an OS vendor and thus is flying under the radar

This vulnerability requires all our attention; exploits have been around for over 2 months and are readily available to all malware writers. So patch now ! In addition turn off JavaScript in Adobe Reader if you don't need it in your line of business.Organizations can also evaluate alternatives to Acrobat (search for "adobe reader pdf alternatives" in your favorite search engine) that are potentially less exposed targets, but shop around a bit as some of them have their own flaws and active exploits. I have been using such an alternative for the last 2 weeks and have not encountered any compatibility problems in my usage - reading simple PDF documents.

References:

• Foxit PDF Reader exploit in the wild
• Foxit fixes security flaw rapidly