Endpoint Protection

Regarding this newly-discovered flash vulnerability:

CERT Security Alert TA09-204A

Can someone explain how (or if) a system is vulnerable if:

a) the system has no installed version of Adobe Acrobat

or

b) a system has an old version of acrobat (specifically, version 6.x).

Is it true that this exploit relies on pushing a .pdf file to the victim, and the .pdf file contains flash functionality that is called by acrobat?

Or does this exploit rely only on flash, and the file being "pushed" is a .swf file that does not require the presence of acrobat reader in order to execute and perform the exploitation?

A) Yes, systems without Acrobat are also at risk if the Flash plugin are enabled in the web browser

B) Systems with older version of Acrobat are definitely at risk.

Two ways to exploit : The user can be lured into visiting a website leading to execution of swf file or executing a malicious pdf file.

It does not only depend on flash.

 Adobe has released Security advisory APSA09-03, which describes a vulnerability affecting Adobe Flash. Other Adobe applications that include the Flash runtime, such as Adobe Reader 9, are also affected.


I. Description

Adobe Security Advisory APSA09-03 describes a vulnerability affecting the Adobe Flash player. Flash player version 10.0.22.87 and earlier 10.x versions as well as Flash player version 9.0.159.0 and earlier 9.x versions are affected.

An attacker could exploit this vulnerability by convincing a user to visit a website that hosts a specially crafted SWF file. The Adobe Flash browser plugin is available for multiple web browsers and operating systems, any of which could be affected. An attacker could also create a PDF document that has an embedded SWF file to exploit the vulnerability.

This vulnerability is being actively exploited.


II. Impact

This vulnerability allows a remote attacker to execute arbitrary code as the result of a user viewing a web page or opening a PDF document.


III. Solution

These vulnerabilities can be mitigated by disabling the Flash plugin or by using the NoScript extension for Mozilla Firefox or SeaMonkey to whitelist websites that can access the Flash plugin. For more information about securely configuring web browsers, please see the Securing Your Web Browser document. US-CERT Vulnerability Note VU#259425 has additional details, as well as information about mitigating the PDF document attack vector.

Ref: http://www.us-cert.gov/cas/techalerts/TA09-204A.html

> An attacker could also create a PDF document that has an embedded
> SWF file to exploit the vulnerability.

I assume that a malicious pdf document that contains the swf exploit would be opened first by Acrobat reader, and the reader would use the installed flash player to render the embedded swf file.

What versions of Adobe acrobat reader contain the functionality to auto-render swf content that might be contained within a PDF file?  Specifically, does version 6 have this functionality?

 Systems Affected

Adobe Flash Player 10.0.22.87 and earlier 10.x versions
Adobe Flash Player 9.0.159.0 and earlier 9.x versions
Adobe Reader and Acrobat 9.1.2 and earlier 9.x versions

> Systems Affected
> Adobe Flash Player 10.0.22.87 and earlier 10.x versions (...)

That does not answer my question.

I asked if older versions of Acrobat reader (such as version 6) are capable of rendering flash content contained within pdf files.

Adobe's list of affected versions WILL NOT INCLUDE LEGACY VERSIONS THAT THEY DO NOT SUPPORT.   If Acrobat reader 6 is vulnerable, they will not admit it because they no longer support it.

So I ask again, which versions of Acrobat reader are capable of rendering Flash content that might be found embedded within pdf files?

And try answering this one:

If I have Adobe reader 9.x, but do not have the flash player installed, then am I vulnerable?  If so, explain why.

May be somebody more failiar with Adobe family wouold be able to answer this but vulnerable reader are

Adobe Acrobat reader 9.1.2 and earlier versions of 9.x..So i beleive 6 would also be vulnerable to not only this vulnerability but many more for which adobe is famous for..

So what is Symantec's response to this?  Have they released a AV/IP signature for this?  What do they recommend?  Surely they aren't saying to go out and reconfigure the thousands of browsers in use within a company???

http://www.symantec.com/norton/security_response/vulnerability.jsp?bid=35759 

long since covered, but the browsers COULD be handled in a simply policy in AD,
or
use SEP to block certain files from working.

"smart answer" - if you have any Adobe products anywhere on your computer, you are constantly at risk.

"Better answer" - the mentioned vulnerability - the specific one is flash related. No flash, no issue.

"However answer" - you may still have holes simply because you choose to run unsafe products from Adobe (all their products are unsafe, IMO)

No one really cares about Adobe 6 or there-abouts because it's SO old, I haven't seen a computer with it installed for months.
Oh, wait! My home notebook has reader 6.0 - and is staying that way so I don't have to deal with the HOLES their new versions have, and all the scripting nonsense!
My home desktop doesn't run adobe reader - runs a much safer FREE reader that's not had any issues for over a year - no holes in it. No script nonsense, no flash in PDF files.

Symantec's response

http://www.symantec.com/norton/security_response/v...

That link does not work for me.  I get a completely blank page (not - page not found).
 

Acrobat reader version 6.x is the last Adobe reader that runs on windows 98, hence why I'm asking if Reader version 6 can handle pdf files that contain embedded flash files or components.

I've run many of the proof-of-concept examples that are available for the various pdf exploits that have been discovered over the past year or two and none of them function correctly on Acrobat 6.

So the comment that "acrobat 6 is old and you shouldn't be using it" is not an answer to my question regarding embedded flash content.

The comment that "acrobat 6 is vulnerable to this or that exploit" is also not an answer to my question about embedded flash content - and it's also not a correct comment based on my experience.

The wikipedia entry for Adobe Acrobat says this regarding Acrobat reader version 9: 

"Insert FLV (Flash) or H.264 video for direct playback in Adobe Acrobat and Adobe Reader." 

The way I read that, it says that the ability to handle pdf files with embedded flash content was introduced with Acrobat reader version 9, and did not exist in earlier versions of Acrobat reader.  Is this a correct interpretation?

No that is not correct. Adobe 6 can still have inserted flv that will carry the exploit. Here is the article that says it: http://kb2.adobe.com/cps/321/321328.html . So again you should update your adobe products. I know it says you can't on their site because it Windows 98 doesn't meet the minimum requirements, but you might be able to install it anyway. But if I were you I would do as someone suggested above and get one of the free alternatives to adobe. I have had better luck with them anyway.

Grant-

Adobe released a patch and security bulletin for this vulnerability yesterday. Users are advised to update their Flash players to the new version to fix this issue.

http://www.adobe.com/support/security/bulletins/apsb09-10.html