Adobe on Monday issued another security advisory warning users of yet another zero-day bug in its software. This is the second time this month that the San Jose-based software developer has warned of a critical bug that is reportedly being exploited in the wild. While the first advisory, issued only a few days ago, warned of a critical bug in Reader and Acrobat, the latest warning pertains to a critical vulnerability in its Flash player.
“A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh,” the bug-inured company warned in the advisory.
“This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.”
The company expects to provide patches for both the vulnerabilities within the next three weeks.
Adobe is no stranger to criticism. The company has consistently drawn flak for its piss poor security track record. In fact, it would be reasonable to believe that Adobe is inured to the constant castigation.
But it now seems to be making more serious efforts to plug the many holes in its software. Back in April, it introduced an automatic updater for its Acrobat and Reader products, giving it the ability to tackle critical security issues speedily. And now it has turned its focus to “sandboxing,” a security mechanism that involves running the concerned software in an isolated environment - the sandbox.
Initially, the new feature, dubbed “Protected Mode, will only be used to sandbox “write calls.” But a subsequent update will also help stave off exploit code that tries to copy sensitive information from the user’s machine. "In the first release, everything that is involved in rendering a PDF has to happen within the sandbox.”
Adobe expects to have the next version of Reader ready before the end of the year.
M86 Security Labs released a list of the top 15 most observed vulnerabilities for the first half of 2010 and, surprise-surprise, Adobe Acrobat & Adobe Reader (No. 1) and Microsoft Internet Explorer (No. 2) took the top two spots.
It wasn't enough to just take the top spots, Adobe Reader and Microsoft IE overachieved (underachieved?) by claiming nine out of the 15 slots, with four of them belonging to Adobe and five for Microsoft.
The list also indicates a growing focus on exploiting Java-based vulnerabilities.
"Java is the next low-hanging fruit for attackers," says Marc Maiffret, chief technology officer at eEye Digital Security.
Adobe on Tuesday posted a Security Bulletin alerting the public that it has identified a critical vulnerability in Adoble Flash Player 10.0.45.2 and earlier versions for Windows, Mac, Linux, and Solaris operating systems. A security flaw was also found in the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Mac, and UNIX platforms.
"This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said. "There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat."
That was one of 17 security vulnerabilities identified, the rest of which apply to Adobe Reader and Acrobat. All of these have been labeled as "critical" and run the gamut from memory corruption (could lead to code execution) to a social networking attack.
Security flaws in Adobe reader and Acrobat are nothing new, but in a recent round of updates, Adobe has patched 29 vulnerabilities at once. The updates also included a new software updater that should, once activated, deliver patches in a more effective way.
This will be a welcome change for anyone that’s had to use the current updater. It only checks for updates to Adobe software weekly, and given the frequency of exploits in their products, it isn’t enough. Some updates would even mysteriously vanish from the updater, leaving users vulnerable. This should all change with the new version.
The other vulnerabilities addressed in the set of patches revolved mostly around remote code execution attacks. One of which was already in use around the internet. Adobe warned Mac and Unix users that the same vulnerabilities exist on their platforms as well. The internet is a dangerous place.
June 9th saw a rare 'double-header' in security updates: Microsoft's monthly Patch Tuesday was joined by Adobe's quarterly security updates for Acrobat and Adobe Reader. How big was this month's 10-update Patch Tuesday? According to a Microsoft spokesperson quoted by Cnet, the 31 vulnerabilities covered by updates are "the most since Microsoft started releasing updates on a regular schedule of the second Tuesday of every month in October 2003."
Users of Windows 2000 SP4 through Windows Vista SP2 (and holdouts still running Windows 7 Beta), Microsoft Office 2000, 2003, or 2007; Microsoft Office for MacOS 2004 and 2008, Microsoft Works 8.5 and 9, and IE5.01 through IE8 users have some work to do before heading off on vacation, as do users of Adobe Reader and Acrobat 7.x, 8.x and 9.x. To find out what's being changed - and why - join us after the break.
If you haven’t done so already, make sure your Adobe reader has checked for, and downloaded the latest updates. Adobe has finally released a patch for the zero day scripting vulnerability in its PDF software. The patch for version 9 hit the net a bit earlier than expected, but not a moment too soon to combat this now critically exploited weakness which has been in the wild now since December 2008. The patches for Version 7 & 8 are still planned for March 18th and users of this version would be advised to either upgrade to 9.1 or consider Foxit Reader.
The news was posted by Adobe blogger David Lenoe. "Today, we posted the Adobe Reader 9.1 and Acrobat 9.1 update, which resolves the recent JBIG2 security issue (CVE-2009-0658), including the 'no-click' variant of the vulnerability." "We encourage all Adobe Reader users to download and install the free Adobe Reader 9.1."
For those that haven’t been following the details of the exploit, the vulnerability is a result of an array indexing error in the processing of JBIG2 streams. Hackers have found a way to corrupt arbitrary memory using the PDF format and take control of compromised systems. The lesson learned here if we didn’t know it already, don’t take candy, or PDF’s from strangers.
Adobe’s PDF reader and creator software continues to be under a seemingly endless attack, and a new vulnerability has the security community very worried. A critical flaw in all editions of its PDF reader and creator software will allow attackers to crash the application and gain control of a person’s computer. This vulnerability has been acknowledged by Adobe, but a fix is still rumored to be 2-3 week away. Initially the company will be working to patch version 9, but will eventually include fixes for version’s 7 & 8 as well.
According to the McAfee security blog, malicious PDF documents are already in the wild, and have been appearing across the web since early January. PDF exploits are of significant concern to the security community since the reader software interfaces very closely with web browsers. In many cases PDF documents are opened within a new browser tab, and displayed even with a user’s consent. According to Symantec this attack has primarily been directed towards government agencies and large corporations, it is not widespread as of yet.
New Acrobat 9 adds built-in Flash and multimedia support to the venerable PDF format. That's the good news. The bad? Unless you buy (or try) Acrobat 9, you can't enjoy any of the new multimedia goodies in PDF documents just yet.
To find out what's new, how to buy (or try) your favorite version of Acrobat 9, and to learn when Reader will catch up, read on.
To find out how to get the updates you need to protect your system, keep reading.