Archive for July, 2009

Update to APSB09-10 Security Bulletin

Information about and links to the Adobe Reader and Acrobat patches have been added to yesterday’s Security Bulletin last mentioned in the Adobe PSIRT blog on July 30 (“Security Bulletin Posted for Adobe Flash Player“, CVE-2009-1862). Adobe categorizes these as critical issues and recommends affected users patch their installations.
Note: As a result of this out-of-cycle Adobe Reader and Acrobat update, Adobe is planning its next quarterly security update for Adobe Reader and Acrobat for Tuesday, Oct. 13.
This posting is provided “AS IS” with no warranties and confers no rights.

Security Bulletin Posted for Adobe Flash Player

A Security Bulletin has been posted in regards to the Adobe Flash Player issues last mentioned in the Adobe PSIRT blogs on July 28 (“Impact of Microsoft ATL vulnerability on Adobe Products“, CVE-2009-0901, CVE-2009-2495, CVE-2009-2493) and July 22 (“Update on Adobe Reader, Acrobat and Flash Player Issue“, CVE-2009-1862). Adobe categorizes these as critical issues and recommends affected users patch their installations.
This posting is provided “AS IS” with no warranties and confers no rights.

Impact of Microsoft ATL vulnerability on Adobe Products

We evaluated the impact of the vulnerable versions of the Microsoft Active Template Library (ATL) / CVE-2009-0901, CVE-2009-2495, CVE-2009-2493 / Microsoft Security Advisory (973882) on the Adobe product portfolio. We determined that Flash Player and Shockwave Player are the two products that leverage vulnerable versions of ATL. A Security Advisory for Flash Player and a Security Bulletin for Shockwave Player have been posted to our security bulletins and advisories page.
PSIRT has determined that the Adobe Reader browser plug-in for Internet Explorer, Connect Pro, Flash Lite for mobile devices, LiveCycle SAP Forms and other products are NOT vulnerable to CVE-2009-0901, CVE-2009-2495, or CVE-2009-2493.
Note that only Internet Explorer plug-ins are vulnerable. Thus, people using Flash Player within the Firefox browser — as well as all other Windows-based browsers (that aren’t Internet Explorer) — are not vulnerable. Additionally, Flash Player and Shockwave Player on Macintosh, Linux and Solaris operating systems are not vulnerable.
Per the Shockwave Player Security Bulletin, this vulnerability has been patched in the latest version of Shockwave Player, which is now available for download (http://get.adobe.com/shockwave). Per the Security Advisory for Flash Player, this vulnerability will be patched in the scheduled July 30, 2009 update of Flash Player.
Users should consider installing MS09-034. As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls, such as Flash Player and Shockwave Player, that have been developed with vulnerable versions of ATL as described in Microsoft Security Advisory (973882) and Microsoft Security Bulletin MS09-035.
We will continue to provide updates on this issue via the Security Advisory section of the Adobe web site, as well as the Adobe PSIRT blog.
This posting is provided “AS IS” with no warranties and confers no rights.

Update on Adobe Reader, Acrobat and Flash Player Issue

A Security Advisory has been posted in regards to the Adobe Reader, Acrobat and Flash Player issue discussed in the Adobe PSIRT blog on July 21 (“Potential Adobe Reader, Acrobat, and Flash Player issue“, CVE-2009-1862). A critical vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2009-1862) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows.
We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009 (the date for Flash Player v9 and v10 for Solaris is still pending). We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh, and UNIX by July 31, 2009.
Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF that contains SWF content. Depending on the product, the authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll or C:\Program Files\Adobe\Acrobat 9.0]\Acrobat\authplay.dll. Windows Vista users should consider enabling UAC (User Access Control) to mitigate the impact of a potential exploit. Flash Player users should exercise caution in browsing untrusted websites. Adobe is in contact with Antivirus and Security vendors regarding the issue and recommend users keep their anti-virus definitions up to date.
We will continue to provide updates on this issue via the Security Advisory section of the Adobe web site, as well as the Adobe PSIRT blog.
This posting is provided “AS IS” with no warranties and confers no rights.

Local Privilege Escalation in Adobe Reader Installer

Adobe has investigated the local privilege escalation issue with Adobe Reader that was recently posted to milw0rm and is working with the third party responsible for this component to develop a schedule for a fix. Affected versions are the full installer for Adobe Reader 9.1.0 and 8.1.3 for Windows (CVE-2009-2564). Please note that this is not related to CVE-2009-1862.
Here are some details based on our investigation:

  • In the described exploit, an attacker could replace the getPlus_HelperSvc.exe file with malicious files that could potentially be executed in the context of Local System, resulting in a privilege escalation.
  • The issue is only locally exploitable. This means that an attacker would have to already have access to the target computer.
  • getPlus binaries are only used in the installation of Adobe Reader. The binaries delete themselves after reboot. Therefore, most users will not have these binaries present on their machine and will not be vulnerable.
  • The attacker would have to be able to start the getPlus helper service, which is stopped after installation is complete, and can only be restarted manually by an Administrator or Power User.

We rate this vulnerability as ‘Moderate’ according to our Severity Rating System because:

  • The vulnerable getPlus binaries will not exist on most machines since they are deleted after the first reboot after installation of Adobe Reader.
  • The attacker must have local access to the machine to perform the attack.
  • To perform the exploit, the attacker would have to be able to start the getPlus helper service, which is stopped after installation is complete, and can only be restarted manually by an Administrator or Power User.

Users can verify they are not vulnerable to this attack by checking the following:

  • Ensure that the C:\Program Files\NOS folder and its contents are not present on your system
  • Click “Start” > “Run” and type “services.msc”. Ensure that “getPlus(R) Helper” is not in the list of services

If the NOS files are found, the issue can be mitigated by:

  • Deleting the C:\Program Files\NOS folder and its contents
  • Click “Start” > “Run” and type “services.msc”. Delete “getPlus(R) Helper” from the list of services

Potential Adobe Reader, Acrobat, and Flash Player issue

Adobe is aware of reports of a potential vulnerability in Adobe Reader and Acrobat 9.1.2 and Adobe Flash Player 9 and 10. We are currently investigating this potential issue and will have an update once we get more information.
This posting is provided “AS IS” with no warranties and confers no rights.

Security Bulletin – ColdFusion

A Security Bulletin has been posted with instructions to patch the Adobe ColdFusion vulnerability last mentioned in the Adobe PSIRT blog on July 3 (“Potential ColdFusion security issue“, CVE-2009-2265). Adobe is aware of reports that this issue is being exploited in the wild and is remotely exploitable.
This posting is provided “AS IS” with no warranties and confers no rights.

Potential ColdFusion security issue

Adobe is aware of reports of ColdFusion websites being compromised through a vulnerability in the FCKEditor rich text editor, which is installed with ColdFusion 8. Adobe is working on an update to ColdFusion to resolve the issue, which we expect to make available next week. In the meantime, ColdFusion 8 administrators are advised to mitigate this issue by following the steps below:
1. Disable connectors by setting config.Enabled to false in the editor/filemanager/connectors/cfm/config.cfm file.
2. Remove unused cfm files under editor/filemanager/connectors/cfm directory of the FCKeditor.
3. Inspect FCKeditor directories for content that has already been uploaded. The uploaded files go under the directory specified in the config.UserFilesPath set in config.cfm.
This posting is provided “AS IS” with no warranties and confers no rights.