Posts Tagged: acrobat

Jan 14

Security Updates for Windows, Java, Flash & Reader

Adobe, Microsoft and Oracle today each issued security updates to fix serious vulnerabilities in their products. Adobe released patches for AIR, Acrobat, Flash and Reader, while Microsoft pushed out fixes to shore up at least a half dozen security weaknesses in Windows and Office. Oracle released an update for Java that fixes at least three dozen security holes in the widely-used program.

crackedwinAll of the vulnerabilities that Microsoft fixed this month earned “important” ratings; not quite as dire as those labeled “critical,” which involve flaws so dangerous that they can be exploited by bad guys or malware to break into systems with no user interaction. Nevertheless, flaws marked “important” can be quite dangerous, particularly when used in tandem with other attack techniques.

By way of illustration, this month’s MS14-002 patch addresses an important zero-day flaw that was first found to be exploited in targeted attacks late last year. In one version of this attack, documented quite nicely in this fascinating yet somewhat technical writeup from Trustwave Spiderlabs, attackers used this Windows flaw in combination with a bug in Adobe Reader. According to Trustwave, the bad guys in that attack included the Windows flaw as a means of bypassing Adobe Reader’s security sandbox, a technology designed ensure that any malicious code embedded in documents only runs under limited privileges (i.e., isn’t allowed to invoke other programs or alter core system settings).

In short, don’t put off applying this month’s patches from Microsoft. They are available via Windows Update or Automatic Update. Also, Microsoft took this opportunity to remind Windows XP users that the company will no longer be supporting Windows XP after April 2014 (guess I will have to retire the above broken Windows graphic as well). The lack of ongoing security updates for XP means it will likely become an even bigger target for attackers; if you rely on XP, please consider transitioning to a newer operating system sometime soon. Who knows, it might be a great excuse to try Linux, which tends to be very light on resources and ideal for older hardware. If you’ve been considering the switch for a while, take a few distributions for a spin using one of dozens of flavors of Linux available via Live CD.

Continue reading →

Oct 13

Adobe To Announce Source Code, Customer Data Breach

Adobe Systems Inc. is expected to announce today that hackers broke into its network and stole source code for an as-yet undetermined number of software titles, including its ColdFusion Web application platform, and possibly its Acrobat family of products. The company said hackers also accessed nearly three million customer credit card records, and stole login data for an undetermined number of Adobe user accounts.

A screen shot of purloined source code stolen from Adobe, shared with the company by KrebsOnSec

A screen shot of purloined source code stolen from Adobe, shared with the company by KrebsOnSec

KrebsOnSecurity first became aware of the source code leak roughly one week ago, when this author — working in conjunction with fellow researcher Alex Holden, CISO of Hold Security LLC — discovered a massive 40 GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll. The hacking team’s server contained huge repositories of uncompiled and compiled code that appeared to be source code for ColdFusion and Adobe Acrobat.

Shortly after that discovery, KrebsOnSecurity shared several screen shots of the code repositories with Adobe. Today, Adobe responded with confirmation that it has been working on an investigation into a potentially broad-ranging breach into its networks since Sept. 17, 2013.

In an interview with this publication earlier today, Adobe confirmed that the company believes that hackers accessed a source code repository sometime in mid-August 2013, after breaking into a portion of Adobe’s network that handled credit card transactions for customers. Adobe believes the attackers stole credit card and other data on approximately 2.9 million customers, and that the bad guys also accessed an as-yet-undetermined number of user names and passwords that customers use to access various parts of the Adobe customer network.

ColdFusion source code repository found on hacker's server.

ColdFusion source code repository found on hacker’s server.

Adobe said the credit card numbers were encrypted and that the company does not believe decrypted credit card numbers left its network. Nevertheless, the company said that later today it will begin the process of notifying affected customers — which include many Revel and Creative Cloud account users —  via email that they need to reset their passwords.

In an interview prior to sending out a news alert on the company’s findings, Adobe’s Chief Security Officer Brad Arkin said the information shared by this publication “helped steer our investigation in a new direction.” Arkin said the company has undertaken a rigorous review of the ColdFusion code shipped since the code archive was compromised, and that it is confident that the source code for ColdFusion code that shipped following the incident “maintained its integrity.”

“We are in the early days of what we expect will be an extremely long and thorough response to this incident,” Arkin said. The company is expected to publish an official statement this afternoon outlining the broad points of its investigation so far.

Arkin said Adobe is still in the process of determining what source code for other products may have been accessed by the attackers, and conceded that Adobe Acrobat may have been among the products the bad guys touched. Indeed, one of the screen shots this publication shared with Adobe indicates that the attackers also had access to Acrobat code, including what appears to be code for as-yet unreleased Acrobat components (see screen grab above).

“We’re still at the brainstorming phase to come up with ways to provide higher level of assurance for the integrity of our products, and that’s going to be a key part of our response,” Arkin said. He noted that the company was in the process of looking for anomalous check-in activity on its code repositories and for other things that might seem out of place.

“We are looking at malware analysis and exploring the different digital assets we have. Right now the investigation is really into the trail of breadcrumbs of where the bad guys touched.”

The revelations come just two days after KrebsOnSecurity published a story indicating that the same attackers apparently responsible for this breach were also involved in the intrusions into the  networks of the National White Collar Crime Center (NW3C), a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime. As noted in that story, the attackers appear to have initiated the intrusion into the NW3C using a set of attack tools that leveraged security vulnerabilities in Adobe’s ColdFusion Web application server.

While Adobe many months ago issued security updates to plug all of the ColdFusion vulnerabilities used by the attackers, many networks apparently run outdated versions of the software, leaving them vulnerable to compromise. This indeed may have also been the vector that attackers used to infiltrate Adobe’s own networks; Arkin said the company has not yet determined whether the servers that were breached were running ColdFusion, but acknowledged that the attackers appear to have gotten their foot in the door through “some type of out-of-date” software.

Stay tuned for further updates on this rapidly-moving story.

Update 4:38 p.m. ET: Adobe has released a statement about these incidents here and here. A separate customer security alert for users affected by this breach is here. Also, in a hopefully unrelated announcement, Adobe says it will be releasing critical security updates next Tuesday for Adobe Acrobat and Adobe Reader.

Update, Oct. 5, 4:35 p.m. ET: Rakshith Naresh, a product manager at Adobe, said in a Tweet yesterday that the breach did not involve ColdFusion vulnerabilities.

Update, Oct. 9, 12:50 p.m. ET: Naresh’s Tweet stating that the breach didn’t involve ColdFusion servers was deleted at some point. I followed up with Adobe via email: An Adobe spokesperson said the company’s investigation is still ongoing, and that “at this time we have not identified the initial attack vector to include or exclude a ColdFusion server.”

May 13

Microsoft, Adobe Push Critical Security Updates

Microsoft and Adobe today each released updates to fix critical security holes in their software. Microsoft’s patch batch tackles at least 33 vulnerabilities in Windows and other products, including a fix for a zero-day vulnerability in Internet Explorer 8 that attackers have been exploiting. Separately, Adobe pushed security updates for Flash Player, Adobe Reader, Acrobat and Adobe AIR.

crackedwinMicrosoft’s Patch Tuesday bundle includes two separate updates for Internet Explorer; the first (MS13-037) is a cumulative update for Internet Explorer. The second is a fix (MS13-038) specifically for a critical bug in IE 8 that miscreants and malware have been using to break into Windows computers. Other, slightly less severe holes were fixed in Microsoft Publisher, Word, Visio and Windows Essentials.

Last week, Microsoft released a stopgap “Fix-it” tool to help blunt the threat from the IE8 zero-day flaw. If you installed that interim fix, Microsoft recommends taking a moment to disable it before applying today’s patches.

<soapbox>On a side note..Dear Microsoft: Please stop asking people to install Silverlight every time they visit a property. I realize that Silverlight is a Microsoft product, but it really is not needed to view information about security updates. In keeping with the principle of reducing the attack surface of an operating system, you should not be foisting additional software on visitors who are coming to you for information on how to fix bugs and vulnerabilities in Microsoft products that they already have installed. </soapbox>

Silverlight required? C'mon, Microsoft!

Silverlight required? C’mon, Microsoft!

As it usually does on Microsoft’s Patch Tuesday, Adobe used the occasion to push its own security updates. A new version of Flash (v. 11.7.700.202 for Mac and Windows systems) fixes 13 vulnerabilities.  IE 10 and Google Chrome automatically update themselves to fix Flash flaws. This link should tell you which version of Flash your browser has installed. If your version of Chrome is not yet updated to v. 11.7.700.202, you may need to just restart the browser.

Continue reading →

Jan 13

Adobe, Microsoft Ship Critical Security Updates

Adobe and Microsoft today separately issued updates to fix critical security vulnerabilities in their products. Adobe pushed out fixes for security issues in Acrobat, Adobe Reader and its Flash Player plugin. Microsoft released seven patches addressing at least a dozen security holes in Windows and other software, although it failed to issue an official patch for a dangerous flaw in its Internet Explorer Web browser that attackers are now actively exploiting.

Two of the patches that Microsoft issued today earned a “critical” rating, signifying that these vulnerabilities could be exploited to fully compromise vulnerable Windows systems without any help from users. Microsoft called special attention to two critical bugs in its XML Core Services component; the company said it is likely that malware or miscreants will figure out a way to exploit these flaws in active attacks sometime within the next 30 days.

Unfortunately, Microsoft did not offer an official fix for a critical Windows flaw that malware and miscreants are already exploiting. In late December, Microsoft acknowledged that attackers were using a previously undocumented security hole in Internet Explorer versions 6 through 8 to break into Windows PCs. Microsoft later issued a stopgap “FixIt” tool to help lessen the vulnerability on affected systems, but researchers last week demonstrated that the FixIt tool only blocked some methods of attacking the flaw, leaving other ways unguarded. Meanwhile, a working copy of the exploit has been folded into Metasploit, a free penetration testing tool.

Wolfgang Kandek, chief technology officer at vulnerability management firm Qualys, said the zero-day IE vulnerability affects 90% of the IE install base at this time.

“Microsoft is not providing a patch today, though they have provided a Fix-It for the issue,” Kandek wrote in a blog post. “The vulnerability should be tracked closely, as a large percentage of enterprises still run the affected versions.”

Users who wish to continue browsing the Web with IE should upgrade to IE9 if possible (IE10 on Windows 8 also is not vulnerable). Users still on Windows XP will not be able to update to IE9, but may be able to derive some protection from the FixIt tool and by using Microsoft’s EMET tool. XP users may be better off, however, browsing with Firefox or Chrome with some type of script blocking and/or sandbox in place. More information on how to use EMET and script blocking options is available in my Tools for a Safer PC primer. More details about today’s updates from Microsoft can be found at the Microsoft Security Response Center blog and in the security bulletin summaries for each patch.

The Adobe Flash patch fixes at least one critical vulnerability in the media player plugin. Updates are available for all supported versions of Flash, including for Windows, Mac, Linux and Android. See the chart below for the latest version number broken down by operating system.

Continue reading →

Apr 11

Adobe Reader, Acrobat Update Nixes Zero Day

Adobe shipped updates to its PDF Reader and Acrobat products today to plug a critical security hole that attackers have been exploiting to break into computers. Fixes are available for Mac, Windows and Linux versions of these software titles.

The patch released today addresses two critical flaws. Adobe pushed out a patch for the standalone Flash Player last week, but that same vulnerable component exists in Adobe Reader and Acrobat. Initially, Adobe said it was only aware of attacks on the Flash Player but, in the the latest advisory, it acknowledged the existence of public reports that hackers have been sending out poisoned PDFs that exploit the Flash flaw., for example, reported that it was receiving reports of malicious PDFs attacking the Flash bug as early as Apr. 17.

The Reader/Acrobat patch also addresses another critical bug (a flaw in the CoolType library of Reader & Acrobat) that could allow attackers to install malicious software. Not much information is public about this vulnerability, except that Poland’s CERT is credited with reporting it. Adobe spokesperson Wiebke Lips said the company was not aware of any exploits in the wild targeting this bug.

The advisory for the latest version is here. Users on Windows and Macintosh can grab the update using the product’s update mechanism. To manually check for an update, open your Reader or Acrobat and choose Help > Check for Updates.

Mar 11

Critical Security Updates for Adobe Acrobat, Flash, Reader

Adobe today released a software update to plug a critical security hole in its Flash Player, Adobe Acrobat and PDF Reader products. The patch comes a week after the software maker warned that miscreants were exploiting the Flash vulnerability to launch targeted attacks on users.

The Flash update addresses a critical vulnerability in Adobe Flash Player version and earlier; versions (Adobe Flash Player version and earlier versions for Chrome users) for Windows, Macintosh, Linux and Solaris operating systems; and Adobe Flash Player and earlier versions for Android.

Adobe is urging all users to upgrade to the latest version — Flash v. (Chrome users want v., although Google is likely to auto-update it soon, given their past speediness in applying Flash updates). Update: According to The Register’s Dan Goodin, Google updated Chrome to patch this Flash flaw a full three days ago!

Original post: Click this link to find out what version of Flash you have installed. If something goes wrong in your update, or if you’re just a stickler for following directions, Adobe recommends uninstalling the current version of Flash before proceeding with the update (Mac users see this link).

Continue reading →

Nov 10

Critical Updates for Adobe Reader, Acrobat

Adobe on Tuesday issued a critical update to patch at least two security holes in its PDF Reader and Acrobat software, including one flaw that was publicly disclosed earlier this month.

Updates are available for Windows, Mac and UNIX versions of Reader and Acrobat. The newest version is v. 9.4.1. If you use either of these products, take a moment to update them by clicking “Help,” then “Check for Updates.” Direct links to the new versions also are available in the Adobe advisory for this update. Note that this is not the sandboxed version (Adobe Reader X, or v 10.0) which is expected to be released at the end of this month.

Separately, the company is warning users not to fall for recent phishing and other e-mail scams targeted at Adobe customers looking for the Adobe Acrobat X, a new product being released this week. “Many of these emails require recipients to register and/or provide personal information. Please be aware that these emails have not been sent by Adobe or on Adobe’s behalf,” Adobe said.

Oct 10

Reader, Acrobat Patches Plug 23 Security Holes

A new security update from Adobe plugs at least 23 security holes in its PDF Reader and Acrobat software, including two vulnerabilities that attackers are actively exploiting to break into computers.

Adobe is urging Reader and Acrobat users of versions 9.3.4 and earlier for Windows, Mac and UNIX systems to upgrade to version 9.4 (Adobe says those who can’t upgrade to the 9.x version should instead apply the version 8.2.5 update).

Adobe says one of the 23 flaws fixed by this new version is being actively exploited. A second zero-day flaw corrected by today’s update — a critical vulnerability in Adobe Flash player that the company fixed in a separate update last month for the stand-alone Flash player — also exists in Adobe Acrobat and Reader, although Adobe says it is not aware of any attacks exploiting this flaw in those products yet.

Continue reading →

Aug 10

Adobe Issues Acrobat, Reader Security Patches

Adobe Systems Inc. today issued software updates to fix at least two security vulnerabilities in its widely-used Acrobat and PDF Reader products. Updates are available for Windows, Mac and UNIX versions of these programs.

Acrobat and Reader users can update to the latest version, v. 9.3.4, using the built-in updater, by clicking “Help” and then “Check for Updates.”

Today’s update is an out-of-cycle release for Adobe, which recently moved to a quarterly patch release schedule. The company said the update addresses a vulnerability that was demonstrated at the Black Hat security conference in Las Vegas last month. The release notes also reference a flaw detailed by researcher Didier Stevens back in March. Adobe said it is not aware of any active attacks that are exploiting either of these bugs.

More information on these patches, such as updating older versions of Acrobat and Reader, is available in the Adobe security advisory.

Jun 10

Security Updates for Adobe Acrobat, Reader

Adobe Systems Inc. is urging users to update installations of Adobe Reader and Acrobat to fix a critical flaw that attackers have been exploiting to break into vulnerable systems.

The update brings Adobe Acrobat and Reader to version 9.3.3 (another update for the older 8.2 line of both products brings the latest version to v. 8.2.3). Patches are available for Windows, Mac, Linux and Solaris versions of these programs. Adobe’s advisory for this update is here, and the Reader update is available from this link — or by opening the program and clicking “Help” and “Check for Updates.” If you download the update from the Adobe Reader homepage, you’ll end up with a bunch of other stuff you probably don’t want (see below, after the jump for more on this).

If you use Adobe Reader or Acrobat, please take a moment to update this software. Users may also want to consider switching to other free PDF readers that are perhaps less of a target for malicious hackers, such as Foxit Reader, Nitro PDF Reader, and Sumatra.

Continue reading →