Secure IT Alert: Adobe offers Zero Day Flash exploit patch for Apple Mac OS X, MS Windows, Google Chrome & Android

Homeland Secure IT Alert for Wednesday, March 23, 2011

Adobe has released out-of-cycle updates earlier this week that affect Flash Player, Reader and Acrobat across many platforms such as Apple Mac OS X, Microsoft Windows, Android and Chrome… Here is the summary from the WatchGuard Security Center:

Severity: High

21 March, 2011

Summary:

• These vulnerabilities affects: Recent versions of Adobe Reader, Acrobat,  and Flash Player
• How an attacker exploits it: In various ways, but most commonly by enticing your users into visiting a website containing malicious Flash or Reader content
• Impact: In the worst case, an attacker can execute code on your computer, potentially gaining control of it
• What to do: If you use these popular Adobe products, you should download and install their various updates as soon as possible.

Exposure:

Typically, Adobe’s quarterly Patch Day falls on the same Tuesday as Microsoft Patch Day (the second Tuesday of the month). However, a recent zero day Flash exploit circulating in the wild has encouraged Adobe to release a few out-of-cycle patches early. Today, Adobe released two security bulletins that fix a  zero day Flash vulnerability in Reader, Acrobat, and Flash Player, running on all platforms (including Android).

Though the two bulletins affect different software, they both fix the same core Flash related vulnerability that we described in our earlier WatchGuard Security Center post. As usual, Adobe doesn’t describe this zero day flaw in any technical detail. However, they do mention that the flaw lies within the authplay.dll component, which all three vulnerable products use. By enticing one of your users to visit a web site or download a PDF file containing malicious flash content, an attacker could leverage this flaw to execute code with that users privileges. If your users have administrative or root privileges on the victim platform, the attacker would gain complete control.

As was the case during our first post, attackers have been exploiting this flaw in the wild (even before Adobe knew it existed). If you use the affected software (as most users do), we highly recommend you install Adobe’s updates immediately.

For more details about these update, see Adobe’s bulletins below:

• APSB11-05: March 2011 Flash Player Update
• APSB11-06 : March 2011 Reader and Acrobat Update

Solution Path:

Adobe has released Reader, Acrobat, and Flash Player updates to fix this flaw. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you. Note: Adobe has not yet released a Reader X update for this vulnerability, since Reader X’s default sand-boxing technology should protect you from this flaw by default.That said, we do expect a Reader X update at a later date.

• APSB11-05:
  • Flash Player 10.2.153.1
  • Flash Player 10.2.156.12 for Android <= (link only works from Android phone)
  • Google Chrome (w/Flash 10.2.154.25)
  • AIR 2.6
• APSB11-06:
  • Adobe Reader
  • For Windows
  • For Mac
    • Adobe Acrobat
    • Standard and Pro for Windows
    • Pro Extended for Windows
    • Pro for Mac

For All WatchGuard Users:

Some of WatchGuard’s Firebox models allow you to prevent your users from downloading certain types of files via the web (HTTP) or email (SMTP, POP3). If you like, you can temporarily mitigate the risk of some of these vulnerabilities by blocking various Adobe-related files using your Firebox’s proxy services. Such files include, .PDF, .SWF, .DIR, .DCR, and .FLV. That said, many websites rely on these files to display interactive content. Blocking them could prevent some sites from working properly. Furthermore, many businesses rely on PDF files to share documents. Blocking them would affect legitimate files as well. For that reason, we recommend the updates above instead.

Nonetheless, if you choose to block some Adobe files, follow the links below for video instructions on using your Firebox proxy’s content blocking features to block files by their file extensions:

• Firebox X Edge running 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy
• Firebox X Core and X Peak running Fireware 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy?

Status:

Adobe has released updates to fix these vulnerabilities.

References:

• Adobe Flash Player Security Bulletin
• Adobe Reader Security Bulletin

This alert was researched and written by Corey Nachreiner, CISSP. (@SecAdept)

—

If you require assistance with these or any other computer service related issues in Greenville or Upstate SC, please call 864.990.4748 or email info@homelandsecureit.com – We are WatchGuard partners and offer sales and support of their fine line of security appliances to help protect your network!