Tag Archives: adobe

Adobe fixes critical vulnerability in Flash

0
Posted by Tech Paranoia on February 12, 2010 – 10:04 am
Filed under Patches, Software
Tagged as ,

Security updates 10.0.45.2 for the Adobe Flash Player and 1.5.3.1930 for AIR fix a critical security vulnerability which allows Flash applets to circumvent certain security functions in order to access other websites without obtaining the user’s permission. A specially crafted Flash file on a malicious web page could read data, including banking data or similar, displayed in other open browser windows.

Normally, Flash applications are only permitted to access resources on the server from which they have been loaded. In order to allow content to be loaded more flexibly, since version 7, the Flash framework has allowed ‘cross domain requests’. Sites serving Flash applets can create a crossdomain.xml file which specifies which external sites or servers the Flash applets are permitted to make requests from without requiring a warning to be displayed in Flash Player.

These are usually specified very tightly, with the website operator entering only domains operated by partners and other trusted websites. The current vulnerability appears to allow these restrictions to be circumvented so that a crafted Flash file can access objects on any website without requiring user clearance. Users should therefore not hold back in installing the Flash update as soon as possible.

The update also fixes a denial of service (DoS) vulnerability, no further details of which are given. Further tests are needed to determine whether this is the vulnerability which has been unpatched for several months for which Adobe recently apologised. The vendor originally intended to fix this vulnerability in the next major release, 10.1.

Source: The H Security

Microsoft: Emergency IE Patch Coming

0
Posted by Tech Paranoia on January 19, 2010 – 9:02 am
Filed under Patches, exploit
Tagged as , , , , ,

Microsoft has started dropping broad hints that an emergency patch for Internet Explorer will be released very soon to counter targeted attacks and the publication of exploit code for a “browse and you’re owned” vulnerability in its flagship Web browser.

The out-of-band update will be released once the company is satisfied that it has been properly tested against all affected versions of Windows. This could happen as early as this weekend.

The decision to ship the IE patch outside of Microsoft’s scheduled Patch Tuesday releases follows the release of exploit code into the Metasploit attack tool.

The Metasploit code only works against Internet Explorer 6 but there are claims in the security research community that the vulnerability has been successfully exploited on IE7 (Windows Vista) as well as IE6 and on Windows XP.

The vulnerability was discovered during zero-day attacks against several big-name U.S. companies, including Google, Adobe and Juniper Networks. During those attacks, data-stealing malware exploited the flaw against systems running IE6 on Windows XP.

Microsoft says the ongoing attacks remain “targeted to a very limited number of corporations” and are only effective against Internet Explorer 6. However, with the exploit code now in Metasploit, malware purveyors could begin tinkering with exploits geared to newer versions of the browser.

Now, Microsoft is imploring its customers to upgrade immediately to IE 8. A special guidance page has been published to offer information on how to mitigate this vulnerability and avoid attacks.

Microsoft’s Security Research & Defense team has created and released a one-click “Fix It” tool to allow users to enable DEP (Data Execution Prevention) on older versions of the browser. DEP, a crucial anti-exploit mitigation, is enabled by default on IE8 only.

Source: ThreatPost

Hack of Adobe Conducted Via Zero-Day IE Flaw

0
Posted by Tech Paranoia on January 14, 2010 – 2:22 pm
Filed under Hacks, Zero Day, exploit
Tagged as , , , , ,

The recent hack attack on Adobe occurred through exploitation of a zero-day vulnerability that affects all versions of Internet Explorer, according to a security researcher with a leading anti-virus firm.

Microsoft learned about the vulnerability only Wednesday evening and is planning to release an announcement about the vulnerability later today, said the researcher, who asked not to be identified because he’s not authorized to speak with the press.

The vulnerability, for which there is currently no patch, is a memory corruption flaw that causes the browser to internally misfire in a way that allows the hacker to inject malware on the user’s computer.

“It’s pretty targeted so the reality is that it’s only currently being used against these targeted companies,” the researcher said. He couldn’t say how many of the other 33 companies hit in the hack attack were breached in this way.

Zero day vulnerabilities are security flaws in software for which there is currently no patch. Researchers discovered a memory corruption flaw in IE in December, which Microsoft patched on Dec. 9. The researcher, however, said the one that affected Adobe is believed to be a new and different one.

Google announced on Tuesday that it had been the target of a “highly sophisticated” and coordinated hack attack against its corporate network, and that the hackers had stolen intellectual property and sought access to the Gmail accounts of human rights activists.

Minutes later, Adobe acknowledged in a blog post that it discovered Jan. 2 that it had been the target of a “sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies.”

Neither Google nor Adobe provided details about how the hacks occurred.

Full article at: Threat Level

Adobe releases patch for critical Acrobat and Reader flaw

0
Posted by Tech Paranoia on January 13, 2010 – 12:00 pm
Filed under Patches, Software
Tagged as , ,

Adobe has released a patch for multiple vulnerabilities in its Acrobat and Reader products. This patch addresses the widely used exploit that was released into the wild last month. Exploiting these vulnerabilities may allow an attacker to execute code or perform a denial of service attack.

Adobe Security Bulletin

Microsoft warning to XP users: Update Flash Player Now

2
Posted by Tech Paranoia on January 13, 2010 – 10:00 am
Filed under Software, exploit
Tagged as , , ,

Microsoft has shipped a security advisory with an urgent message for Windows XP users: Update your Flash Player immediately.

The Adobe Flash Player 6 that ships by default in Windows XP is vulnerable to multiple code execution vulnerabilities that could lead to PC takeover attacks, according to the advisory.

Here’s the warning:

Microsoft is aware of reports of vulnerabilities in Adobe Flash Player 6 provided in Windows XP. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time but recommend that users install the latest version of Flash Player provided by Adobe.

The Adobe Flash Player 6 was provided with Windows XP and contains multiple vulnerabilities that could allow remote code execution if a user views a specially crafted Web page. Adobe has addressed these vulnerabilities in newer versions of Adobe Flash Player. Microsoft recommends that users of Windows XP with Adobe Flash Player 6 installed update to the most current version of Flash Player available from Adobe.

This issue affects Windows XP Service Pack 2 and Windows XP Service Pack 3. The warning is also applicable to users running Windows XP Professional x64 Edition Service Pack 2.

Adobe discontinued support for Adobe Flash Player 6 in 2006. The latest version of Adobe Flash Player is 10.0.42.34.

Adobe Flash Player is among the most commonly exploited desktop applications so it’s important for all Windows XP users to heed this warning from Microsoft.

Source: ThreatPost

Adobe confirms a targeted attack against its corporate network

0
Posted by Tech Paranoia on January 13, 2010 – 9:00 am
Filed under Hacks, Software
Tagged as , ,

The start of 2010 has been rough for Adobe, which has now released a statement confirming a “sophisticated and coordinated attack” against its corporate network.

A statement from Adobe:

“Adobe became aware on January 2, 2010 of a computer security incident involving a sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies. We are currently in contact with other companies and are investigating the incident. At this time, we have no evidence to indicate that any sensitive information — including customer, financial, employee or any other sensitive data — has been compromised. We anticipate the full investigation will take quite some time to complete. We have and will continue to use information gained from this attack to make infrastructure improvements to enhance security for Adobe, our customers and our partners.”

Adobe has come under fire recently due to a flaw found in its Reader and Acrobat software which remained unpatched for over a month. Due to this incident, Adobe has stated that it will be building a silent updater for these products.

Adobe finally jumps on silent update bandwagon

0
Posted by Tech Paranoia on January 11, 2010 – 12:00 pm
Filed under Patches
Tagged as ,

Today, Adobe users wanting to update Acrobat and Reader have to do it manually, or semi-automatically, but there is no fully automatic, ’silent’ updating feature officially available to users. This has been a problem when it comes to getting users to update the products to cope with new security patches, explained Brad Arkin, director of product security and privacy at Adobe.

“We anticipate that this will have a dramatic improvement on the window of vulnerability for our user base,” Arkin said. “Where we see that improvement occurring is the time from when we release an update to when that update is deployed on a machine.”

During its last quarterly patch in October, Adobe quietly installed a new updater, called Acrobat Refresh Manager, that could be set to update the product silently. A beta test with selected users will start with the company’s latest round of critical security patches, scheduled for next Tuesday. If the Beta test goes well, the update mechanism will be offered as a default option with the following quarterly security update in April.

Adobe is behind the curve in terms of silent product updates, which are a standard feature on many products. Arkin said that the company had to be cautious about introducing the update because of the sheer volume of computers using Adobe’s update system. “Reader is installed on hundreds of millions of machines around the world. Even the most minor potential flaw that only happens on one machine in a million still adds up to a lot of machines,” he added.

Source: Infosecurity-us.com

Adobe to introduce silent updates for Reader

0
Posted by Tech Paranoia on January 6, 2010 – 12:00 pm
Filed under Patches
Tagged as ,

Through implementing the background silent update feature in its Chrome web browser Google has already established that silent updates can be very useful for improving a products security. Now Adobe also plans to introduce “silent updates”, updates which are installed without requiring user permission, in a forthcoming version of Adobe Reader. As Adobe security chief Brad Arkin explained in an interview with threatpost.com, beta testers are due to receive the new feature for the first time before the end of this month. The testers will receive the updates on Adobe’s regular patch day on the 12th of January via an updater that was already deployed last October.

If testing is successful, the feature is to be integrated into the next official release of Adobe Reader, where it will be enabled by default. However, users will reportedly be able to customise the function and disable it if they require. Adobe hopes that the new update function will cause fewer users to run vulnerable installations of Reader.

Last year, the vendor already responded to an increasing amount of criticism concerning its security processes by introducing a quarterly patch cycle when new versions of Adobe Acrobat and of Reader are released to close any holes. As the free Reader is (pre)installed on most Windows systems, a compromised version leaves many systems vulnerable, and criminals exploit this for their attacks.

On the 12th of January, Adobe plans to make a regular update for Adobe Reader and Acrobat available to download. These will close vulnerabilities that include a critical hole in the DocMedia.newPlayer JavaScript function, which is already being actively exploited.

Source: H Online

Adobe Reader vuln hit with unusually advanced attack

0
Posted by Tech Paranoia on January 5, 2010 – 12:00 pm
Filed under exploit
Tagged as , ,

With more than a week until Adobe is scheduled to patch a critical vulnerability in its Reader and Acrobat applications, online thugs are targeting it with an unusually sophisticated attack.

The PDF file uses what’s known as egg-hunting shellcode to compress the first phase of the malicious payload into 38 bytes, a tiny size that’s designed to thwart anti-virus detection. As a result, just four of the 41 major AV programs detect the attack more than six days after the exploit surfaced, according to this analysis from Virus Total.

The shellcode then loads an obfuscated binary file contained in the PDF file that installs PoisonIvy, a backdoor client used to maintain control over infected PCs.

“Not only was this a very interesting example of a malicious PDF document carrying a sophisticated ‘war head,’ but it also showed the length attackers are willing to go to in order to make their malware as hard to detect as possible, not only for the AV vendors, but also for victims,” wrote Bojan Zdrnja, a Sans handler who analyzed the exploit.

The PDF was distributed through email that was specifically targeted at an unnamed organization, Zdrnja, who is a senior information security consultant with Infigo, said in an interview with The Register. Based on the metadata found in the PDF, it originated in China and was produced on December 29.

Just to make the attack even harder for end users to detect, the obfuscated binary runs a third executable program that does nothing more than open a benign file called baby.pdf on the infected machine. Zdrnja believes this is done to deflect attention and prevent users from figuring out their PC has just been compromised.

Source: The Register

Adobe to Patch Zero-Day Flaw on Jan 12

0
Posted by Tech Paranoia on December 16, 2009 – 3:30 pm
Filed under Hacks
Tagged as , , ,

Update to the ongoing story regarding the Adobe Acrobat/Reader exploit. Adobe is set to release a patch on January 12th, which is much too far away as the exploit code is already available via Metasploit and there are reported cases of this exploit being used in the wild.

Remember to Kill JavaScript in Adobe Reader to keep yourself safe.