[Nottingham] A wry combo: nspluginwrapper fixed and Adobe Updates for Multiple Vulnerabilities

Martin martin at ml1.co.uk
Thu Jun 16 11:48:12 UTC 2011 

Folks,

A little bit of a wry combination on certain maillists this morning:

"nspluginwrapper has been updated to 1.3.x and now to 1.4.x, i.e. it
has a new upstream maintainer http://nspluginwrapper.davidben.net

For the first time in probably 2-3years, the 32bit Adobe Flash player
seemed to work for me in a 64bit browser (I tested firefox and
konqueror).

So give it a shot."


And...

"... vulnerabilities could allow a remote attacker to execute
arbitrary code, write arbitrary files or folders to the file system,
escalate local privileges, or cause a denial of service on an affected
system as the result of a user opening a malicious PDF file.

If a user opens specially crafted Shockwave content, a remote attacker
may be able to execute arbitrary code.

If a user opens specially crafted Flash content, a remote attacker may
be able to execute arbitrary code."


Expect a few updates to roll out soon!

Two interesting points apart from the lamentable continuous stream of
security vulnerabilities from such 3rd party code:

1: Linux is prominently detailed in the US-CERT alert. Normally, they
are 'Windows-only';

2: Perhaps users are more vulnerable to dodgy applications rather than
actual OS vulnerabilities...


Anyhow, for a document reader and media player, what in cyberland is
that application doing running arbitrary code in the first place? Is
not a document merely static data that is merely read and displayed
(and *never* to be 'executed')?... ;-) ( <-- An evil winkie! :-) )


Aside: Also notice the use of "GnuPG v1.4.5 (GNU/Linux)". Linux hits
the great US-of-A?

Cheers,
Martin


On 15 June 2011 18:04, US-CERT Technical Alerts
<technical-alerts at us-cert.gov> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>                    National Cyber Alert System
>
>              Technical Cyber Security Alert TA11-166A
>
>
> Adobe Updates for Multiple Vulnerabilities
>
>   Original release date: June 15, 2011
>   Last revised: --
>   Source: US-CERT
>
>
> Systems Affected
>
>     * Adobe Reader X (10.0.1) and earlier 10.x versions for Windows
>     * Adobe Reader X (10.0.3) and earlier 10.x versions for Macintosh
>     * Adobe Reader 9.4.3 and earlier 9.x versions for Windows and Macintosh
>     * Adobe Reader 8.2.6 and earlier 8.x versions for Windows and Macintosh
>     * Adobe Acrobat X (10.0.3) and earlier 10.x versions for Windows and Macintosh
>     * Adobe Acrobat 9.4.3 and earlier 9.x versions for Windows and Macintosh
>     * Adobe Acrobat 8.2.6 and earlier 8.x versions for Windows and Macintosh
>     * Shockwave Player 11.5.9.620 and earlier versions for Windows and Macintosh.
>     * Adobe Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
>     * Adobe Flash Player 10.3.185.23 and earlier versions for Android
>
>
> Overview
>
>   Adobe has released Security Bulletin APSB11-16, which describes
>   multiple vulnerabilities affecting Adobe Reader and Acrobat.
>
>   Adobe has released Security Bulletin APSB11-17, which describes
>   multiple vulnerabilities affecting Adobe Shockwave Player.
>
>   Adobe has released Security Bulletin APSB11-18, which describes
>   multiple vulnerabilities affecting Adobe Flash Player.
>
>
> I. Description
>
>   Adobe Security Bulletin APSB11-16 describes a number of
>   vulnerabilities affecting Adobe Reader and Acrobat. These
>   vulnerabilities affect Reader and Acrobat 9.3.4, earlier 9.x
>   versions, 8.2.6, and earlier 8.x versions. These vulnerabilities
>   also affect Reader X and Acrobat X 10.0.3, 10.0.1, and earlier 10.x
>   versions.
>
>   An attacker could exploit these vulnerabilities by convincing a
>   user to open a specially crafted PDF file. The Adobe Reader browser
>   plug-in, which can automatically open PDF documents hosted on a
>   website, is available for multiple web browsers and operating
>   systems.
>
>   Adobe Security Bulletin APSB11-17 describes a number of
>   vulnerabilities affecting Adobe Shockwave Player. These
>   vulnerabilities affect Shockwave Player 11.5.9.620 and earlier
>   versions.
>
>   An attacker could exploit this vulnerability by convincing a user
>   to open specially crafted Shockwave content. Shockwave content is
>   commonly hosted on a web page, but it can also be embedded in PDF
>   and other documents or provided as a stand-alone file.
>
>   Adobe Security Bulletin APSB11-18 describes a number of
>   vulnerabilities affecting Adobe Flash Player. These vulnerabilities
>   affect Flash Player 10.3.181.23 and earlier versions for Windows,
>   Macintosh, Linux and Solaris operating systems. These
>   vulnerabilities also affect Flash Player 10.3.185.23 and earlier
>   versions for Android.
>
>   An attacker could exploit this vulnerability by convincing a user
>   to open specially crafted Flash content. Flash content is commonly
>   hosted on a web page, but it can also be embedded in PDF and other
>   documents or provided as a stand-alone file.
>
>
> II. Impact
>
>   These vulnerabilities could allow a remote attacker to execute
>   arbitrary code, write arbitrary files or folders to the file
>   system, escalate local privileges, or cause a denial of service on
>   an affected system as the result of a user opening a malicious PDF
>   file.
>
>   If a user opens specially crafted Shockwave content, a remote
>   attacker may be able to execute arbitrary code.
>
>   If a user opens specially crafted Flash content, a remote attacker
>   may be able to execute arbitrary code.
>
>
> III. Solution
>
>   Update Reader
>
>   Adobe has released updates to address this issue. Users are
>   encouraged to read Adobe Security Bulletin APSB11-16 and update
>   vulnerable versions of Adobe Reader and Acrobat.
>
>   Update Adobe Shockwave Player
>
>   Adobe has released updates to address this issue. Users are
>   encouraged to read Adobe Security Bulletin APSB11-17 and update
>   vulnerable versions of Adobe Shockwave Player.
>
>   Update Adobe Flash Player
>
>   Adobe has released updates to address this issue. Users are
>   encouraged to read Adobe Security Bulletin APSB11-18 and update
>   vulnerable versions of Adobe Adobe Flash Player.
>
>   Disable Flash in your web browser
>
>   Uninstall Flash or restrict which sites are allowed to run Flash.
>   To the extent possible, only run trusted Flash content on trusted
>   domains. For more information, see Securing Your Web Browser.
>
>   Disable Flash in Adobe Reader and Acrobat
>
>   Disabling Flash in Adobe Reader will mitigate attacks that rely on
>   Flash content embedded in a PDF file. Disabling 3D & Multimedia
>   support does not directly address the vulnerability, but it does
>   provide additional mitigation and results in a more user-friendly
>   error message instead of a crash. To disable Flash and 3D &
>   Multimedia support in Adobe Reader 9, delete, rename, or remove
>   access to these files:
>
>   Microsoft Windows
>   "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll"
>   "%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll"
>
>   Apple Mac OS X
>   "/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/AuthPlayLib.bundle"
>   "/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/Adobe3D.framework"
>
>   GNU/Linux (locations may vary among distributions)
>   "/opt/Adobe/Reader9/Reader/intellinux/lib/libauthplay.so"
>   "/opt/Adobe/Reader9/Reader/intellinux/lib/librt3d.so"
>
>   File locations may be different for Adobe Acrobat or other Adobe
>   products that include Flash and 3D & Multimedia support. Disabling
>   these plugins will reduce functionality and will not protect
>   against Flash content hosted on websites. Depending on the update
>   schedule for products other than Flash Player, consider leaving
>   Flash and 3D & Multimedia support disabled unless they are
>   absolutely required.
>
>   Disable JavaScript in Adobe Reader and Acrobat
>
>   Disabling JavaScript may prevent some exploits from resulting in
>   code execution. Acrobat JavaScript can be disabled using the
>   Preferences menu (Edit -> Preferences -> JavaScript; uncheck Enable
>   Acrobat JavaScript).
>
>   Adobe provides a framework to blacklist specific JavaScipt APIs. If
>   JavaScript must be enabled, this feature may be useful when
>   specific APIs are known to be vulnerable or used in attacks.
>
>   Prevent Internet Explorer from automatically opening PDF files
>
>   The installer for Adobe Reader and Acrobat configures Internet
>   Explorer to automatically open PDF files without any user
>   interaction. This behavior can be reverted to a safer option that
>   prompts the user by importing the following as a .REG file:
>
>   Windows Registry Editor Version 5.00
>
>   [HKEY_CLASSES_ROOT\AcroExch.Document.7]
>   "EditFlags"=hex:00,00,00,00
>
>   Disable the display of PDF files in the web browser
>
>   Preventing PDF files from opening inside a web browser will
>   partially mitigate this vulnerability. If this workaround is
>   applied, it may also mitigate future vulnerabilities.
>
>   To prevent PDF files from automatically being opened in a web
>   browser, do the following:
>
>   1. Open Adobe Acrobat Reader.
>   2. Open the Edit menu.
>   3. Choose the Preferences option.
>   4. Choose the Internet section.
>   5. Uncheck the "Display PDF in browser" checkbox.
>
>   Do not access PDF files from untrusted sources
>
>   Do not open unfamiliar or unexpected PDF files, particularly those
>   hosted on websites or delivered as email attachments. Please see
>   Cyber Security Tip ST04-010.
>
>
> IV. References
>
>  * Security update available for Adobe Reader and Acrobat -
>   <http://www.adobe.com/support/security/bulletins/apsb11-16.html>
>
>  * Adobe Reader and Acrobat JavaScript Blacklist Framework -
>   <http://kb2.adobe.com/cps/504/cpsid_50431.html>
>
>  * Security update available for Adobe Flash Player -
>   <http://www.adobe.com/support/security/bulletins/apsb11-18.html>
>
>  * Security update available for Adobe Shockwave Player -
>   <http://www.adobe.com/support/security/bulletins/apsb11-17.html>
>
>  ____________________________________________________________________
>
>   The most recent version of this document can be found at:
>
>     <http://www.us-cert.gov/cas/techalerts/TA11-166A.html>
>  ____________________________________________________________________
>
>   Feedback can be directed to US-CERT Technical Staff. Please send
>   email to <cert at cert.org> with "TA11-166A Feedback" in
>   the subject.
>  ____________________________________________________________________
>
>   For instructions on subscribing to or unsubscribing from this
>   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
>  ____________________________________________________________________
>
>   Produced 2011 by US-CERT, a government organization.
>
>   Terms of use:
>
>     <http://www.us-cert.gov/legal.html>
>  ____________________________________________________________________
>
> Revision History
>
>  June 15, 2011: Initial release
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
>
> iQEVAwUBTfjkdz6pPKYJORa3AQL96Af/bfXjpbygssCruFOpIPCRkp2YprLJLjjc
> D+ydEKvBTLYUqm5QgUD99bKwcUjQvwbZRuQDM2hhb49+TeTQPWR3gKvSqasviAC9
> wu73HEw6I5ystOW/v0m+IglgbQH6qBr1VdycxOQf3z63sWbt4XafBpbY3t4klcfj
> Wc9ysRAY0RbInH5oyxJrOZz68OFUJj+ZsJw7wvnC3kgd3r6Q92nEM0cAiuNxmk0l
> 4g+HR0LuQRrgurAiX/zdAylByhOVmzBAqHhPk9pEdlf6XgEAhu/nSHrPa9jD+YKh
> DtDSf9ETAnsqjY7zjP1RdgjcUU1HbzU1Egs3LOy33zfHEzKZZJe2QA==
> =p3nZ
> -----END PGP SIGNATURE-----

More information about the Nottingham mailing list