My next class:

Yet another Adobe Flash/Reader/Acrobat 0 day

Published: 2011-04-11. Last Updated: 2011-04-11 22:33:13 UTC
by Johannes Ullrich (Version: 1)
10 comment(s)

Adobe released that a so far unpatched vulnerability has been used in recent targeted attacks.

Flash Player 10.2.153.1 is vulnerable, as is the flash player component used to execute flash in Adobe Reader / Acrobat. Adobe Reader X is vulnerable bu but not exploitable. 

At this time, according to Adobe, the attack is performed using Flash files embedded in Word documents. 

Note that Flash may be embedded in other Office document formats like Excel. Adobe is not planning on an out of band patch at this point, as Adobe Reader X is not exploitable.

[1] http://www.adobe.com/support/security/advisories/apsa11-02.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: adobe flash
10 comment(s)
My next class:

Comments

I believe Acrobat Reader X is only not vulnerable if sandbox is enabled. I don't find anything that Reader X is not vulnerable if sandbox mode is not enabled. Do you have a link somewhere that describes this?
A little clarification: According to the advisory, it's only Adobe Reader X for Windows that is not exploitable. Adobe Reader X for Mac is.
Based on APSA11-02 it can be confusing. From what I read I agree Adobe X for Mac OSX is. They state
"We are in the process of finalizing a schedule for delivering updates for Flash Player 10.2.x and earlier versions for Windows, Macintosh, Linux, Solaris and Android, Adobe Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.2) for Macintosh, and Adobe Reader 9.4.3 and earlier 9.x versions for Windows and Macintosh. Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011."

If I remember correctly protected mode in MAC OSX is not fully implemented. May be useful but cannot remember off hand. -->
http://learn.adobe.com/wiki/display/security/Protected+Mode+FAQ
Hm, kind of deja-vu (Flah embedded into a DOC) looking at the RSA issue which has been claimed to be fixed: http://blogs.rsa.com/rivner/anatomy-of-an-attack/
The problem with Adobe's approach of using the sandbox as a crutch is that not everyone can use Protected Mode since it is still buggy. For example, try embedding a PDF into a Word document while having Reader X installed and Protected Mode enabled.
Is it just me or is their 'about' page no longer working?

http://www.adobe.com/products/flash/about/
http://www.adobe.com/products/flash.html seems to be the new page which I was redirected to. It might be your browser is not taking the redirect due to a plugin (if it is firefox). If not, no clue. Better check for the Adobe root kit LOL.
Yeah I am redirected there as well..... but that page doesn't tell me anything about the version of Flash that I am running....
K-Dee, the 'about' page for Flash Player is now:

http://www.adobe.com/software/flash/about/
Thanks AE1!

Diary Archives