Regarding the newly-discovered flash vulnerability
Updated: 21 May 2010 | 15 comments
This issue has been solved. See solution.
Regarding this newly-discovered flash vulnerability:
CERT Security Alert TA09-204A
Can someone explain how (or if) a system is vulnerable if:
a) the system has no installed version of Adobe Acrobat
or
b) a system has an old version of acrobat (specifically, version 6.x).
Is it true that this exploit relies on pushing a .pdf file to the victim, and the .pdf file contains flash functionality that is called by acrobat?
Or does this exploit rely only on flash, and the file being "pushed" is a .swf file that does not require the presence of acrobat reader in order to execute and perform the exploitation?
Discussion Filed Under:
Comments
A) Yes, systems without
A) Yes, systems without Acrobat are also at risk if the Flash plugin are enabled in the web browser
B) Systems with older version of Acrobat are definitely at risk.
Two ways to exploit : The user can be lured into visiting a website leading to execution of swf file or executing a malicious pdf file.
It does not only depend on flash.
> Yes, systems without
> in the web browser
In that case, is the exploit file a .swf flash file, or a .pdf acrobat file? Can the flash player handle .pdf files by itself?
> B) Systems with older version of Acrobat are definitely at risk.
I have run proof-of-concept exampled of many of the .PDF exploits that have been discovered during the past year on systems win Acrobat reader 6.02 (running windows 98) and they do not seem to function properly given that combination. Also, Adobe has never stated (as far as I can tell) that Acrobat 6 is or was vulnerable to any of the .pdf exploits that have been discovered during the past, oh, 2 years.
Please explain (or please indicate an appropriate URL) that specifically mentions the vulnerability status of Acrobat 6.x in terms of the .pdf exploits discovered in 2007, 2008 and 2009.
> Two ways to exploit : The user can be lured into visiting a website leading to
> execution of swf file or executing a malicious pdf file.
Can the flash player be tricked into executing a .pdf file? Even if the file name ends in .swf ?
> It does not only depend on flash.
That's where I'm confused. If it doesn't depend on flash, then why is it being referred to specifically as a flash vulnerability?
Are these two SEPARATE vulnerabilities?
Or are they the SAME root vulnerability that can be exploited from two different directions (a malicious pdf file and a malicious .swf file) ???
CERT Security Alert TA09-204A
Adobe has released Security advisory APSA09-03, which describes a vulnerability affecting Adobe Flash. Other Adobe applications that include the Flash runtime, such as Adobe Reader 9, are also affected.
I. Description
Adobe Security Advisory APSA09-03 describes a vulnerability affecting the Adobe Flash player. Flash player version 10.0.22.87 and earlier 10.x versions as well as Flash player version 9.0.159.0 and earlier 9.x versions are affected.
An attacker could exploit this vulnerability by convincing a user to visit a website that hosts a specially crafted SWF file. The Adobe Flash browser plugin is available for multiple web browsers and operating systems, any of which could be affected. An attacker could also create a PDF document that has an embedded SWF file to exploit the vulnerability.
This vulnerability is being actively exploited.
II. Impact
This vulnerability allows a remote attacker to execute arbitrary code as the result of a user viewing a web page or opening a PDF document.
III. Solution
These vulnerabilities can be mitigated by disabling the Flash plugin or by using the NoScript extension for Mozilla Firefox or SeaMonkey to whitelist websites that can access the Flash plugin. For more information about securely configuring web browsers, please see the Securing Your Web Browser document. US-CERT Vulnerability Note VU#259425 has additional details, as well as information about mitigating the PDF document attack vector.
Ref: http://www.us-cert.gov/cas/techalerts/TA09-204A.html
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
> An attacker could also
> An attacker could also create a PDF document that has an embedded
> SWF file to exploit the vulnerability.
I assume that a malicious pdf document that contains the swf exploit would be opened first by Acrobat reader, and the reader would use the installed flash player to render the embedded swf file.
What versions of Adobe acrobat reader contain the functionality to auto-render swf content that might be contained within a PDF file? Specifically, does version 6 have this functionality?
Systems Affected
Systems Affected
Adobe Flash Player 10.0.22.87 and earlier 10.x versions
Adobe Flash Player 9.0.159.0 and earlier 9.x versions
Adobe Reader and Acrobat 9.1.2 and earlier 9.x versions
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
> Systems Affected > Adobe
> Systems Affected
> Adobe Flash Player 10.0.22.87 and earlier 10.x versions (...)
That does not answer my question.
I asked if older versions of Acrobat reader (such as version 6) are capable of rendering flash content contained within pdf files.
Adobe's list of affected versions WILL NOT INCLUDE LEGACY VERSIONS THAT THEY DO NOT SUPPORT. If Acrobat reader 6 is vulnerable, they will not admit it because they no longer support it.
So I ask again, which versions of Acrobat reader are capable of rendering Flash content that might be found embedded within pdf files?
And try answering this one:
If I have Adobe reader 9.x, but do not have the flash player installed, then am I vulnerable? If so, explain why.
"smart answer" - if you have
"smart answer" - if you have any Adobe products anywhere on your computer, you are constantly at risk.
"Better answer" - the mentioned vulnerability - the specific one is flash related. No flash, no issue.
"However answer" - you may still have holes simply because you choose to run unsafe products from Adobe (all their products are unsafe, IMO)
No one really cares about Adobe 6 or there-abouts because it's SO old, I haven't seen a computer with it installed for months.
Oh, wait! My home notebook has reader 6.0 - and is staying that way so I don't have to deal with the HOLES their new versions have, and all the scripting nonsense!
My home desktop doesn't run adobe reader - runs a much safer FREE reader that's not had any issues for over a year - no holes in it. No script nonsense, no flash in PDF files.
My sites - http://theamcpages.com & http://antique-engines.com
Toy:
Shadow:
not sure
May be somebody more failiar with Adobe family wouold be able to answer this but vulnerable reader are
Adobe Acrobat reader 9.1.2 and earlier versions of 9.x..So i beleive 6 would also be vulnerable to not only this vulnerability but many more for which adobe is famous for..
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
Symantec Response
So what is Symantec's response to this? Have they released a AV/IP signature for this? What do they recommend? Surely they aren't saying to go out and reconfigure the thousands of browsers in use within a company???
Matt Barber
Advanced Client Services Engineer
TN User Group Marketing Director
long since covered, but the
long since covered, but the browsers COULD be handled in a simply policy in AD,
or
use SEP to block certain files from working.
My sites - http://theamcpages.com & http://antique-engines.com
Toy:
Shadow:
Symantec's response
http://www.symantec.com/norton/security_response/v...
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
Symantec's
Symantec's response
http://www.symantec.com/norton/security_response/v...
That link does not work for me. I get a completely blank page (not - page not found).
Still wondering if Acrobat Reader 6.x can play flash content
Acrobat reader version 6.x is the last Adobe reader that runs on windows 98, hence why I'm asking if Reader version 6 can handle pdf files that contain embedded flash files or components.
I've run many of the proof-of-concept examples that are available for the various pdf exploits that have been discovered over the past year or two and none of them function correctly on Acrobat 6.
So the comment that "acrobat 6 is old and you shouldn't be using it" is not an answer to my question regarding embedded flash content.
The comment that "acrobat 6 is vulnerable to this or that exploit" is also not an answer to my question about embedded flash content - and it's also not a correct comment based on my experience.
The wikipedia entry for Adobe Acrobat says this regarding Acrobat reader version 9:
"Insert FLV (Flash) or H.264 video for direct playback in Adobe Acrobat and Adobe Reader."
The way I read that, it says that the ability to handle pdf files with embedded flash content was introduced with Acrobat reader version 9, and did not exist in earlier versions of Acrobat reader. Is this a correct interpretation?
No that is not correct. Adobe
No that is not correct. Adobe 6 can still have inserted flv that will carry the exploit. Here is the article that says it: http://kb2.adobe.com/cps/321/321328.html . So again you should update your adobe products. I know it says you can't on their site because it Windows 98 doesn't meet the minimum requirements, but you might be able to install it anyway. But if I were you I would do as someone suggested above and get one of the free alternatives to adobe. I have had better luck with them anyway.
Grant-
Please don't forget to mark your thread solved with whatever answer helped you : )
Security updates available for Adobe Flash Player
Adobe released a patch and security bulletin for this vulnerability yesterday. Users are advised to update their Flash players to the new version to fix this issue.
http://www.adobe.com/support/security/bulletins/ap...
Would you like to reply?
Login or Register to post your comment.