Wednesday, February 17, 2010

Critical Vulnerabilities in Adobe Flash, Air, Reader & Acrobat

There is a critical vulnerability in Adobe Flash player version and earlier. This update should be applied as soon as possible to the version 

According to a recent security firm study - up to 80% of all attacks exploiting vulnerabilities in Q4 2009 were all exploited vulnerabilities in Adobe Reader and Acrobat. This sounds a bit much but it is still a sign from statistics that attackers have been favoring pdf exploits.

Adobe seems to still be struggling to catch up with their vulnerabilities last year. Four PDF vulnerabilities were patched in 2009 after already being exploited in the wild to install malware on users' machines. For a while Adobe was hosting vulnerable outdated versions of some of their software products on their site for user's to download. 2009 has been a rough year for Adobe and 2010 has not been much better, with one PDF zero-day exploit already taken place that was discovered on December 15th last year and not being patched until recently last month on January 12th and more critical patches several days ago on February 12th. "This zero-day exploit was being delivered via malicious PDF email attachments which targets a JavaScript vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions. Once attacked the malware creates a downloader on the victim's machine that attempts to use Internet Explorer to receive commands." -Jessa De La Torre, TrendMicro

If you need these applications I recommend that users disable JavaScript in Reader and Acrobat and stay away from the reader browser plug-in. Above all, always remember never to open attachments in email from unknown senders - thats just asking for trouble.

It is also a good time to check as see if your system even needs Flash or other 3rd party applications. I have seen Flash and Reader installed on multiple company's server in the past - and I'm not talking about a media server. Do not install Flash on a system that does not require it. In most cases it is only a component that enhances a user's browser experience being able to watch videos or view websites that utilize flash. First of all, if it is an important website that your company needs to view usually the site will have a link for non-flash users to browse. Second of all, most people have flash installed to watch videos and other media. Do you really want your employees to be able to cut into their precious productivity time to watch Youtube? Perhaps it doesn't matter because your current IT department is on top of their game and blocks or filters that sort of web content; then please assess as to why Flash is still installed on your workstations? It may seem as if I am coming off a little harsh, but it is a serious matter when a system is compromised because of a critical vulnerability in an application that could of been easily patched or better yet, properly uninstalled so the service is not even available to be exploited in the first place. To easily see if you have Adobe Flash installed visit:

In addition to Adobe Flash player, Adobe also released critical updates to fix vulnerabilities in product installations of:

Adobe Air version and earlier to update to the newest version

The pdf viewers Adobe Reader version 9.3 and earlier for Windows, Macs, and Unix; Acrobat 9.3 and earlier for Windows and Macs. 

Again, remember to assess if you need these applications on your system and if so please test and patch your systems as soon as possible. Also remember that these security bulletins are rated as Critical: A vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware.

Visit Adobe's security bulletin for: 

Flash and Air:

Remember: Attackers only need one unpatched program to compromise your system

No comments:

Post a Comment

Thank you for your contribution. Your post will be published shortly after it is filtered for any inappropriate material. Please do not use ALL CAPS, flame, use inappropriate material/references in your post or they may not be published.