February 18, 2013
Last week, Adobe issued a Security Advisory (APSA13-02) for its Acrobat and Reader software for Windows, Linux, and Mac OS X. The advisory concerns two newly-discovered security vulnerabilities in the software (CVE numbers are in the Security Advisory). According to Adobe, the affected versions of the software are:
- Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh
- Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh
- Adobe Reader 9.5.3 and earlier 9.x versions for Windows, Macintosh and Linux
- Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh
- Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh
- Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh
There is some evidence that the vulnerabilities are being exploited, principally by E-mails that attempt to trick Windows users into opening a malicious PDF document.
According to a post on the Product Security Incident Response Team (APSIRT) blog, Adobe plans to release security updates for the affected software this week. I will post a note here when the patches are available.
In the meantime, those who are using Reader XI and Acrobat XI for Windows can mitigate the risk from these flaws by enabling “Protected View” (see the Security Advisory for details). In any case, you should always be very wary of opening any E-mail attachments unless you are sure they are legitimate.
December 31, 2012
Microsoft has released a “FixIt” workaround patch for the Internet Explorer vulnerability (in IE versions 6, 7, and 8) that I wrote about yesterday; the Security Advisory (2794220) has been updated to reflect this change. Microsoft has also released a Knowledge Base article that contains links to the installation programs to enable, or disable, the workaround. This is not a patch for the underlying vulnerability, but a sort of “quick fix” that prevents exploits from working.
If you are using the Windows system that requires the workaround, you can install it directly from the Knowledge Base page. Alternatively, you can save the file to disk, and then run it manually on one or more other systems. There is also a link to disable the workaround, in case it causes problems with your system.
Another mitigation step suggested in the Security Advisory is the use of a Microsoft utility, the rather Orwellian name of which is the Enhanced Mitigation Experience Toolkit (EMET). The EMET utility implements a variety of general-purpose protections against malicious software. It can be quite an effective tool, but it does involve some risk of incompatibility with particular applications. I strongly suggest that you test it carefully before installing it on critical systems. A general description and download links are in the Knowledge Base article (2458544) Enhanced Mitigation Experience Toolkit. For more detailed and technical information on EMET, a TechNet blog post describes the latest version (3.0).
Since an example exploit seems to have been posted on the Web, I think it is prudent to take this vulnerability seriously. If you have a vulnerable version of Internet Explorer, I suggest that you take one or more of these steps:
- Switch to a different browser (e.g., Firefox or Chrome) and avoid Internet Explorer
- Upgrade to Internet Explorer version 9 or 10 (not possible on Windows XP systems)
- Apply the FixIt workaround, and possibly the EMET if it’s workable in your environment.
On Thursday, January 3, Microsoft should be announcing the security bulletins it will release this month. I hope that a regular patch for this vulnerability can be ready in time to be included in that batch, which should be released Tuesday, January 8.
December 30, 2012
Microsoft has issued a Security Advisory (2794220) concerning a new “zero-day” vulnerability in Internet Explorer. Versions 6, 7, and 8 of the browser are affected, on all versions of Windows; versions 9 and 10 are not. The flaw involves a memory allocation and access bug; if exploited, it could lead to the attacker gaining access to the system with the same privileges as the logged-in user, and execution of arbitrary code. The most likely exploit would involve clicking on a link to a malicious Web site, sent to the user via an E-mail or instant message. An exploit would not necessarily require the Web site itself to be compromised; a site that hosted user-supplied content might also serve as an attack vector.
Microsoft has assigned this vulnerability CVE-2012-4792; however, at this point there is no further information available in the CVE data base. A more detailed technical explanation of the vulnerability is available in this Microsoft blog post.
As I mentioned earlier, this vulnerability does not affect Internet Explorer version 9 or 10. However, those of you still using Windows XP are out of luck on that score, because upgrading to one of those IE versions is not an option. (If you are still using XP, I hope you have started planning a transition to a newer version of Windows.) Microsoft says that it is investigating the problem, and that it will “take appropriate action” once the investigation is complete. The Security Advisory has some suggestions for possible mitigations. As always, never click on an unsolicited link someone sends you.
Update Sunday, 30 January, 23:16 EST
It appears that a sample exploit for this vulnerability has been published on the Web. If you are using a vulnerable version of Internet Explorer, I suggest that you switch to Firefox or Chrome, or at least apply Microsoft’s recommended mitigations as soon as you can.