My next class:

Yet another Adobe Flash/Reader/Acrobat 0 day

Published: 2011-04-11. Last Updated: 2011-04-11 22:33:13 UTC
by Johannes Ullrich (Version: 1)
10 comment(s)

Adobe released that a so far unpatched vulnerability has been used in recent targeted attacks.

Flash Player 10.2.153.1 is vulnerable, as is the flash player component used to execute flash in Adobe Reader / Acrobat. Adobe Reader X is vulnerable bu but not exploitable. 

At this time, according to Adobe, the attack is performed using Flash files embedded in Word documents. 

Note that Flash may be embedded in other Office document formats like Excel. Adobe is not planning on an out of band patch at this point, as Adobe Reader X is not exploitable.

[1] http://www.adobe.com/support/security/advisories/apsa11-02.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: adobe flash
10 comment(s)
My next class:

Comments

I believe Acrobat Reader X is only not vulnerable if sandbox is enabled. I don't find anything that Reader X is not vulnerable if sandbox mode is not enabled. Do you have a link somewhere that describes this?

sbass

Apr 11th 2011
1 decade ago

A little clarification: According to the advisory, it's only Adobe Reader X for Windows that is not exploitable. Adobe Reader X for Mac is.

cscott

Apr 11th 2011
1 decade ago

Based on APSA11-02 it can be confusing. From what I read I agree Adobe X for Mac OSX is. They state
"We are in the process of finalizing a schedule for delivering updates for Flash Player 10.2.x and earlier versions for Windows, Macintosh, Linux, Solaris and Android, Adobe Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.2) for Macintosh, and Adobe Reader 9.4.3 and earlier 9.x versions for Windows and Macintosh. Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011."

If I remember correctly protected mode in MAC OSX is not fully implemented. May be useful but cannot remember off hand. -->
http://learn.adobe.com/wiki/display/security/Protected+Mode+FAQ

drStrangeP0rk

Apr 11th 2011
1 decade ago

Hm, kind of deja-vu (Flah embedded into a DOC) looking at the RSA issue which has been claimed to be fixed: http://blogs.rsa.com/rivner/anatomy-of-an-attack/

Ottmar Freudenberger

Apr 12th 2011
1 decade ago

The problem with Adobe's approach of using the sandbox as a crutch is that not everyone can use Protected Mode since it is still buggy. For example, try embedding a PDF into a Word document while having Reader X installed and Protected Mode enabled.

jrzmurray

Apr 12th 2011
1 decade ago

Is it just me or is their 'about' page no longer working?

http://www.adobe.com/products/flash/about/

K-Dee

Apr 12th 2011
1 decade ago

http://www.adobe.com/products/flash.html seems to be the new page which I was redirected to. It might be your browser is not taking the redirect due to a plugin (if it is firefox). If not, no clue. Better check for the Adobe root kit LOL.

Al of Your Data Center

Apr 12th 2011
1 decade ago

Yeah I am redirected there as well..... but that page doesn't tell me anything about the version of Flash that I am running....

K-Dee

Apr 12th 2011
1 decade ago

K-Dee, the 'about' page for Flash Player is now:

http://www.adobe.com/software/flash/about/

AE1

Apr 12th 2011
1 decade ago

Thanks AE1!

K-Dee

Apr 12th 2011
1 decade ago

Login here to join the discussion.


Top of page
Diary Archives