Author Archive: Brad Arkin

Local Privilege Escalation in Adobe Reader Installer

Posted on July 22, 2009 by Brad Arkin | Comments (0)

Adobe has investigated the local privilege escalation issue with Adobe Reader that was recently posted to milw0rm and is working with the third party responsible for this component to develop a schedule for a fix. Affected versions are the full installer for Adobe Reader 9.1.0 and 8.1.3 for Windows (CVE-2009-2564). Please note that this is not related to CVE-2009-1862.
Here are some details based on our investigation:

  • In the described exploit, an attacker could replace the getPlus_HelperSvc.exe file with malicious files that could potentially be executed in the context of Local System, resulting in a privilege escalation.
  • The issue is only locally exploitable. This means that an attacker would have to already have access to the target computer.
  • getPlus binaries are only used in the installation of Adobe Reader. The binaries delete themselves after reboot. Therefore, most users will not have these binaries present on their machine and will not be vulnerable.
  • The attacker would have to be able to start the getPlus helper service, which is stopped after installation is complete, and can only be restarted manually by an Administrator or Power User.

We rate this vulnerability as ‘Moderate’ according to our Severity Rating System because:

  • The vulnerable getPlus binaries will not exist on most machines since they are deleted after the first reboot after installation of Adobe Reader.
  • The attacker must have local access to the machine to perform the attack.
  • To perform the exploit, the attacker would have to be able to start the getPlus helper service, which is stopped after installation is complete, and can only be restarted manually by an Administrator or Power User.

Users can verify they are not vulnerable to this attack by checking the following:

  • Ensure that the C:\Program Files\NOS folder and its contents are not present on your system
  • Click “Start” > “Run” and type “services.msc”. Ensure that “getPlus(R) Helper” is not in the list of services

If the NOS files are found, the issue can be mitigated by:

  • Deleting the C:\Program Files\NOS folder and its contents
  • Click “Start” > “Run” and type “services.msc”. Delete “getPlus(R) Helper” from the list of services

Potential Adobe Reader, Acrobat, and Flash Player issue

Posted on July 21, 2009 by Brad Arkin | Comments (0)

Adobe is aware of reports of a potential vulnerability in Adobe Reader and Acrobat 9.1.2 and Adobe Flash Player 9 and 10. We are currently investigating this potential issue and will have an update once we get more information.
This posting is provided “AS IS” with no warranties and confers no rights.

Adobe Security Bulletin Advance Notification

Posted on June 4, 2009 by Brad Arkin | Comments (0)

Adobe expects to deliver security updates for Adobe Reader and Acrobat versions 7.x, 8.x, and 9.x for Windows and Macintosh on Tuesday, June 9. This is the first quarterly security update for Adobe Reader and Acrobat as described in our May 20 blog post, and incorporates the initial output of code hardening efforts.
Adobe considers this a critical update and recommends users be prepared to apply the update for their product installations. Details of where to download updates will be posted to Adobe’s Security Bulletins and Advisories support page on June 9.
Details regarding security updates for the UNIX platform will be communicated when available.
This posting is provided “AS IS” with no warranties and confers no rights.