Adobe, the company behind popular technologies such as Flash Player, Shockwave or Adobe Reader released five security bulletins on the same day after teaming up with Microsoft to coordinate security releases.. Of the five, three may be affecting end users as they address vulnerabilities in Adobe Reader and Acrobat, Shockwave Player and Flash Player. All three have received a maximum severity rating of critical, the highest possible rating.

The bulletin APSB11-16 describes a critical vulnerability in Adobe Reader X 10.0.3 and earlier on Windows, and Adobe Reader X 10.0.3 and earlier on Macintosh, as well as earlier versions of Adobe Reader 9 and 8, and Adobe Acrobat 9 and 8. The vulnerability could be exploited by attackers to crash the application to take control of the computer system Adobe Reader X is running on.

Adobe recommends to update the software product to the latest available version. For Adobe Reader X that would mean to update to version 10.1, for users of Adobe Reader 9.4.4 and earlier to update to version 9.4.5.

Adobe Reader and Acrobat users can check for updates in the program interface. This is done via Help > Check for Updates. Updates can also be downloaded from the following locations.

• Adobe Reader Windows
• Adobe Reader Macintosh

You can also check out Adobe Reader X Offline Installers

Security Bulletin APSB11-17 describes vulnerabilities in Adobe Shockwave Player 11.5.9.620 and earlier on the Windows and Macintosh platform. Attackers who successfully exploit the vulnerabilities could run malicious code on the computer system. Adobe recommends to update Shockwave Player to version 11.6.0.626 to protect the system from possible exploits.

Windows and Mac users who run Shockwave Player on their system can download the latest version at the official download site.

Bulletin APSB11-18 finally describes a vulnerability in Adobe Flash Player that affects Adobe Flash Player 10.3.181.23 and earlier on Windows, Macintosh, Linux and Solaris, as well as Flash Player 10.3.185.23 and earlier for Android.

The vulnerability could be exploited to cause a crash which could allow the attacker to gain control over the affected system. Adobe has confirmed reports that the vulnerability is exploited in the wild in the form of targeted attacks on specifically prepared websites.

Adobe recommends to update Flash Player to Adobe Flash Player 10.3.181.26 on desktop operating systems. Android users will receive a patch before week’s end.

Users can verify their installed version of Flash Player by visiting the About Flash Player page at Adobe.

Adobe lists the latest version for all supported operating systems on the page, so that users only need to compare their installed version with the latest available version to see if they need to update.

The latest versions can be downloaded from Adobe’s Flash Player Download Center. Users who do not want to use the download manager can check out this guide Download Adobe Flash Without Adobe Download Manager.

Google Chrome users can check for updates in Chrome to get the latest version. This is done by clicking on the wrench icon and selecting About Google Chrome.

The critical vulnerability affects Adobe Flash, and since Adobe implemented Flash technology in Adobe Reader and Acrobat, those products as well.

The Flash vulnerability affects all Adobe Flash Player 10.2.152.33 and earlier versions on all supported operating systems, as well as Flash Player 10.2.154.18 and earlier for Chrome, Flash Player 10.1.106.16 and earlier for Android and Adobe AIR 2.5 and earlier. Google recently pushed an update that resolved the vulnerability for Chrome.

Attackers can exploit the vulnerability to cause a crash which could allow them to take control over the affected system. We already mentioned in our first report on March 14 that the issue was actively exploited by attackers in the form of embedded Flash files in Microsoft Excel documents that were delivered as email attachments.

The Flash Player update is available on the official Flash download page over at Adobe. Google Chrome users with automatic updates enabled do not need to download the update as Google has already pushed an update to all Chrome users that updated Flash to the latest version.

The new Flash version is 10.2.153.1 for all supported desktop PCs, 10.2.156.12 for Android and 10.2.154.25 for Google Chrome.

Adobe AIR users can download the new version of the application from the official Adobe AIR download center, the new Adobe Air version is 2.6.

Users can verify their version of Adobe Flash by visiting the About Adobe Flash Player page.

The Security Bulletin that lists additional information is accessible here.

Adobe has released an update for Adobe Reader and Acrobat as well to address the same critical security vulnerability. Adobe Reader and Acrobat X, 10.x and 9.x are affected on Windows and Macintosh systems.

Existing Adobe Reader and Adobe Acrobat users can use the built-in updating functionality to update the software to the latest version. They need to open Adobe Reader and select Help > Check for Updates from the menu to initiate that process.

It needs to be noted that Adobe is not supplying an update for Adobe Reader X at this point in time. The reasoning is that Adobe Reader X is using Protected Mode which “would prevent an exploit of this kind from executing”. The update will be addressed on the coming quarterly security update which is scheduled for June 14.

The security bulletin lists additional information about the vulnerability, and download links that point to the latest program versions of affected applications.

The security update for Adobe Flash Player fixes several critical vulnerability in Flash Player 10.1.102.64 and earlier on Windows, Macintosh, Linux and Solaris. Successful exploits could “cause the application to crash and could potentially allow an attacker to take control of the affected system”.

The update increases the version of the application to Adobe Flash Player 10.2.152.26 on all affected systems.

The update can be downloaded directly from Adobe.

More information about the update are available on Adobe’s Security Bulletin page.

Adobe Reader, Acrobat

Critical vulnerabilities have also been identified in Adobe Reader and Acrobat. Affected versions include Adobe Reader X, Adobe Reader 9.4.1 for Windows, Macintosh and Unix, and Adobe Acrobat X and earlier for Windows and Macintosh. Please note that the update incorporates the Adobe Flash Player update.

The vulnerabilities “could cause the application to crash and potentially allow an attacker to take control of the affected system. Risk for Adobe Reader X users is significantly lower, as none of these issues bypass Protected Mode mitigations”.

Updates are available to increase the version of Adobe Reader X to 10.0.1, Adobe Reader 9.4.1 to 9.4.2 and Adobe Acrobat X to 10.0.1.

Download links for all affected applications are posted on the security bulletin page over at Adobe.

The Microsoft Security Bulletin Advance Notification for February 2011 details the upcoming patches. A total of 12 security bulletins are released next Tuesday of which all but one fix issues in the Microsoft Windows operating system. The remaining patch fixes a vulnerability in Microsoft Office.

Three of the security vulnerabilities have received a maximum severity rating of critical, the highest available rating, the remaining nine a severity rating of important.

• Microsoft’s newest operating system Windows 7 is affected by seven of the twelve issues. Of those, two are rated critical and the remaining five as important.
• Windows Vista is affected by six vulnerabilities with three rated as critical and the remaining three as important.
• Windows XP is affected by eight vulnerabilities with two being rated as critical and six as important.
• Windows Server 2003 is affected by 10 vulnerabilities of which one is critical, eight are important and one is moderate.
• Windows Server 2008 is affected in the same way as the Vista operating system, with the exception that one of the critical vulnerabilities is only rated as moderate here.
• Windows Server 2008 R2 finally is affected the same way as Windows 7, again with the exception of two vulnerabilities that are rated as moderate instead of critical and important.

The remaining vulnerabiliy affected Microsoft Visio 2002 Service Pack 2, Visio 2003 Service Pack 3 and Visio 2007 Service Pack 2. It is rated as important.

The advanced notifications are accessible here.

Adobe

Adobe has released a Prenotification Security Advisory for Adobe Reader and Acrobat.

Adobe is planning to release updates for Adobe Reader X (10.0) for Windows and Macintosh, Adobe Reader 9.4.1 and earlier versions for Windows, Macintosh and UNIX, Adobe Acrobat X (10.0) for Windows and Macintosh, and Adobe Acrobat 9.4.1 and earlier versions for Windows and Macintosh to resolve critical security issues. Adobe expects to make updates for Windows and Macintosh available on Tuesday, February 8, 2011. An update for UNIX is expected to be available by the week of February 28, 2011.

Expect lots of patching next Tuesday. We will post detailed information once the patches are released by Microsoft and Adobe.

To make matters worse, a new vulnerability has been confirmed by Adobe affecting Adobe Reader 9.2 or later and Adobe Reader 8.1.7 or later. A “proof-of-concept file demonstrating a Denial of Service was published” already that crashes the pdf reader. The exploit does not demonstrate arbitrary code execution, but Adobe is not eliminating the possibility at this point in time. It has to be noted that Adobe Acrobat is not affected by the security vulnerability.

The blog post of the Security and Response team offers instructions on how to protect the computer system from this vulnerability.

Adobe Reader 9.2 and later and Adobe Reader 8.1.7 and later – Windows

On Windows, the JavaScript Blacklist can be in two locations. Please review the following options and then create the registry key of your choice:

Enterprise list: This blacklist helps enterprises roll out policies that block exploitable API(s) from executing in their environment. Populating the blacklist in this location is the responsibility of the enterprise. Adobe patches never modify this registry location.
To create the registry key:
HKLM\SOFTWARE\Policies\Adobe\<product>\<version>\FeatureLockDown\cJavaScriptPerms\tBlackList

Adobe’s update/patch list: The Adobe blacklist is modified by Adobe Reader patches whenever an API is deemed vulnerable. APIs are also removed from the blacklist whenever a fix for a vulnerability is provided by the current patch.
To create the registry key:
HKLM\SOFTWARE\Adobe\<product>\<version>\JavaScriptPerms\tBlackList

On a 64 bit Windows system, the path is:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe

->To prevent this particular issue, add the following value to the registry key created in the previous step (case sensitive):
Doc.printSeps

->Exit and restart the application

Adobe Reader 9.2 and later and Adobe Reader 8.1.7 and later – Macintosh

On your Macintosh computer, go to the Applications folder or to the location where you have Adobe Reader installed.
Right-click on Adobe Reader
Click on Show Package Contents
Expand Contents
Expand MacOS
Expand Preferences
Create a backup of the FeatureLockDown file.
Right-click on FeatureLockDown.
Open With TextEdit.
Just before the last >> add the following line to the FeatureLockDown file (case sensitive):
/JavaScriptPerms [ /c << /BlackList [ /t (Doc.printSeps) ] >> ]
Save the file
Restart Adobe Reader

Adobe Reader 9.2 and later – UNIX

Go to the Global Prefs file at:
/Reader/GlobalPrefs/reader_prefs
Add the following line to the file:
/JavaScriptPerms [/c << /BlackList [/t (Doc.printSeps) ] >> ]

There you have it. Make sure you protect your version of Adobe Reader from the vulnerability by following the instructions posted above. The posting does not offer any information on the consequences of protecting the pdf reader from the vulnerability. It is also not clear if Adobe will be able to include the patch for this vulnerability in the upcoming update.

As if that was not enough, there is also a new vulnerability in Adobe Shockwave Player.

Krystian Kloskowski has discovered a vulnerability in Shockwave Player, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to a use-after-free error in an automatically installed compatibility component as a function in an unloaded library may be called.

Successful exploitation allows execution of arbitrary code, but requires that a user is tricked into opening the “Shockwave Settings” window when viewing a web page.

The vulnerability is confirmed in version 11.5.9.615. Other versions may also be affected.

The description makes it clear that systems are only vulnerable to this attack if the user opens the Shockwave Settings window on a specially prepared website.

The rushed state of the release indicates that the issue gets actively exploited which is confirmed in Adobe’s Security Bulletin that mentions that the issue is being actively exploited in the wild. Attackers may be able to crash the application on the computer and take control of the affected system in the process. Upgrading is the only way of protecting the computer from those vulnerabilities.

Adobe recommends users of Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.4. (For Adobe Reader users on Windows and Macintosh,
who cannot update to Adobe Reader 9.4, Adobe has provided the Adobe Reader 8.2.5 update.) Adobe recommends users of Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.4. Adobe recommends users of Adobe Acrobat 8.2.4 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.5.

This accelerated patch breaks Adobe’s quarterly patch day that is set for every second Tuesday of each quarter of the year to fall in line with Microsoft’s Patch Tuesday. Interested users can take a closer look at the Security Bulletin, or point their web browsers to Get Adobe Reader right away to download the latest version of the pdf reader. Updates are also available directly in the program (by clicking on Help > Check for Updates).

The critical vulnerabilities are affecting all operating systems that Adobe Reader is compatible with (Microsoft Windows, Apple Macintosh and Unix based) and versions of Adobe Reader 9.3.1 and Adobe Acrobat 9.3.1 or earlier.

The critical nature of the vulnerabilities requires immediate attention from users who have affected software versions installed on their computer systems.

Adobe is offering the update through various channels. It is possible to check for updates from within the pdf readers by clicking on Help > Check for updates or to download the updates from the official Adobe website.

Adobe Reader users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.

Adobe Reader users on Macintosh can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.

Adobe Reader users on UNIX can find the appropriate update here:
ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/9.3.2/.

The update is still separated from the full version of Adobe Reader that is offered on the Adobe homepage. There is still no full version of Adobe Reader 9.3.2 available on the Adobe homepage which still offers Adobe Reader 9.3.0 to visitors.

Users who want to find out more about the security vulnerabilities can check out the security bulletin that contains detailed information about the vulnerabilities that are closed with the new release.

We have posted information about the security vulnerability in the forum but not here on the blog. Adobe has now updated information about the security vulnerability which basically fixed the issue so that users who download and use the Adobe Download Manager from February 23 on do not download the vulnerable software.

Adobe has also posted instructions to verify that the vulnerable version of the Adobe Download Manager does not reside on the computer system if it has been downloaded prior to February 23.

Ensure that the C:\Program Files\NOS\ folder and its contents (“NOS files”) are not present on your system. (If the folder is present, follow the steps below to remove).
Click “Start” > “Run” and type “services.msc”. Ensure that “getPlus(R) Helper” is not present in the list of services.
If the NOS files are found, the Adobe Download Manager issue can be mitigated by:

Navigating to Start > Control Panel > Add or Remove Programs > Adobe Download Manager, and selecting Remove to remove the Adobe Download Manager from your system.

OR

Clicking “Start” > “Run” and typing “services.msc”. Then deleting “getPlus(R) Helper” from the list of services.
Then delete the C:\Program Files\NOS\ folder and its contents.

Probably the easiest way to handle the issue is to uninstall the Adobe Download Manager if it is listed in the list of installed programs. If it is it can be uninstalled easily which will remove the issue. The issue only affects Windows versions of the Adobe Download Manager.

• Microsoft Security Bulletin MS10-001 – Critical Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270) – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user viewed content rendered in a specially crafted Embedded OpenType (EOT) font in client applications that can render EOT fonts, such as Microsoft Internet Explorer, Microsoft Office PowerPoint, or Microsoft Office Word. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

  This security update is rated Critical for Microsoft Windows 2000, and is rated Low for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Adobe has released security updates for Adobe Reader and Adobe Acrobat which patch critical vulnerability in Adobe Reader 9.2 and Adobe Acrobat 9.2 for Windows, Macintosh and Unix as well as Adobe Reader 8.1.7 and Acrobat 8.1.7 for Windows and Macintosh.

• These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system. Adobe recommends users of Adobe Reader 9.2 and Acrobat 9.2 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3 and Acrobat 9.3. Adobe recommends users of Acrobat 8.1.7 and earlier versions for Windows and Macintosh update to Acrobat 8.2. For Adobe Reader users on Windows and Macintosh who cannot update to Adobe Reader 9.3, Adobe has provided the Adobe Reader 8.2 update. Updates apply to all platforms: Windows, Macintosh and UNIX.

Adobe itself did not reveal details about the exploit in the blog post but a post at the Shadowserver website which is run by security volunteers from around the world. According to information posted on their website the exploit has been in the wild since at least December 11. The number of attacks have been limited and targeted so far according to their information. They do expect the “exploit to become more wide spread in the next few weeks” with the potential to become fully public in the same timeframe.

The security researchers did not want to reveal all the information about the vulnerability but mentioned that it was found in the JavaScript function in Adobe Acrobat and Adobe Reader.

With that said we can tell you that this vulnerability is actually in a JavaScript function within Adobe Acrobat [Reader] itself. Furthermore the vulnerable JavaScript is obfuscated inside a zlib stream making universal detection and intrusion detection signatures much more difficult. On the bright side though, there are some solutions to this problem.

A temporary fix was also published on the same website.

We have said it before and we will say it again: Disable JavaScript.

Disabling JavaScript is easy. This is how it can be done in Acrobat Reader:
Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript

We have not had time to fully test but enabling hardware DEP for systems that support it may also mitigate this issue.

Adobe users are encouraged to disable JavaScript as soon as possible to block their version of the program from being vulnerable.

The security updates are provided for Adobe Reader and Adobe Acrobat software products running on both Microsoft Windows and Apple Macintosh operating systems. The security bulletin that was issued yesterday contains links that point to downloads for all affected programs and operating systems.

The affected programs are:

• Adobe Reader 9.1.1 and earlier versions
• Adobe Acrobat Standard, Pro, and Pro Extended 9.1.1 and earlier versions

Adobe recommends users of Adobe Reader and Acrobat update their product installations to versions 9.1.2, 8.1.6, or 7.1.3 using the instructions above to protect themselves from potential vulnerabilities. The above updates apply to Windows and Macintosh. Security updates for Adobe Reader on the UNIX platform will be available on June 16, 2009; this Bulletin will be updated to reflect their availability on that date.

Security conscious users might want to consider switching from Adobe Reader to a third party application like Foxit Reader, Sumatra PDF or PDF-Xchange Viewer.

Adobe Reader 9 and Acrobat 9 as well as Adobe Reader 7.1.0 and Acrobat 7.1.0 are not affected by the security vulnerability. The vulnerability causes the applications to crash which can allow an attacker to take control of the host system.

Downloads are available that fix the security vulnerability in Adobe Reader 8 for Windows and Macintosh computers. Take a look at the security bulletin issued by Adobe if you are using Adobe Acrobat or a previous version of one of the products to find the links pointing to updates for your product.