Tuesday, March 15, 2011

CRITICAL Zero-Day Security Exploit
Adobe Flash
& Adobe Acrobat
& Adobe Reader

Q: So Adobe! How's that quarterly 'in-band' update schedule working for you?
A: Um...

After a nice break from The Summer Of Security Holes, we are back on track with CRITICAL Adobe zero-day exploits. This one hits ALL versions of Adobe Flash (v10.2.152.33 on down) on ALL OS platforms, except of course Apple's iOS which does not allow Flash content. Now perhaps skeptics can understand why. It also hits versions 10.0.1 on down through v9.x of Adobe Reader and Adobe Acrobat on Mac and Windows.

Here is the security advisory from Adobe.
This vulnerability (CVE-2011-0609) could cause a crash and potentially allow an attacker to take control of the affected system. 
Here is an article by Electronista.
Given the popularity of the Flash platform, it would seem that this could be a somewhat difficult situation to manage.
Here is the advisory from Adobe's PSIRT (Adobe Product Security Incident Response Team) blog.
We are in the process of finalizing a fix for the issue and expect to make available an update . . . during the week of March 21, 2011.
And here are even more details from yet-another Adobe security blog, this time called ASSET (Adobe Secure Software Engineering Team).
We currently plan to address CVE-2011-0609 in Adobe Reader X with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.... We determined that the above patch schedule would allow us to provide the best balance of risk mitigation and admin/update costs for our customers.
Translation: Watch for patches of Adobe Flash Player, Adobe Acrobat and Adobe Reader v9.x (not 10.x) the week of March 21, 2011. There will be NO patch for Acrobat Reader v10.x until the scheduled quarterly "in-band" date of June 14, 2011. There is an explanation of this inexplicable schedule in the ASSET article.

The currently known exploit is a Microsoft Excel (XLS) file sent via email to victims. Embedded within this file is a Trojan horse Flash file (SWF). Adobe does not explicitly state that this specific file is directed only at Windows users. However, the details they provide refer only to using 'Protected Mode' in Adobe Reader, which is a Windows-only feature. Therefore, I can infer that this is a Windows-only exploit file.

Other exploits are possible. Therefore, until Adobe patch this hole, beware of Flash in general, either as straight Flash files OR embedded in another file type.

My solutions:

A) Use one of the many Flash blocking extensions in your web browsers AT ALL TIMES.

B) As a corollary of The Second Rule Of Computing:
  1. Only open files emailed to you AFTER you have verified that their source is legitimate.
  2. Only click on embedded Flash on web sites that have been verified to be legitimate.
C) Don't use Adobe Reader. Use Apple's Preview application.

D) If you just 'have to' use Adobe Reader: Be sure you are using 'Enhanced Security' inside the Preferences. You'll find it listed under 'Security (Enhanced)'. Note that this is enabled by default when you first install Adobe Reader.

E) Or to be totally safe: Remove Adobe Flash, Adobe Acrobat and Adobe Reader from your computer.

Q: Does this make the Internet more dangerous than ever?
A: You bet!

Q: Why does the Internet have to be such an annoying pain?
A: Bad coding practices by developers as well as poor code documentation, critical to cleaning up bad code.

Theoretically, newer coding students are being taught how to avoid computer memory security holes. However, even if they are diligent at writing 'perfect' code, other problems persist in the code languages themselves. For example, the Java code language was created specifically to never be able to exploit the user's computer. And yet it does. As I ever rant: We are still in The Stone Age Of Computing.

Q: Are Mac users really vulnerable to this security exploit?
A: Absolutely!

Keep in mind that this is not an Apple or Mac OS X problem. This is an Adobe problem. It is their software that is being exploited and ends up damaging the computer. There is nothing Apple can do to prevent Flash exploits apart from ban Flash, which is thankfully the case with all Apple iOS devices.

Meanwhile, whether this exploit will be targeted specifically at Macs is entirely up to the evil scumbag hackers writing the exploit code. If I hear of a Mac specific exploit file, I will post here.

No comments:

Post a Comment