Security

Apple on Thursday released a relatively minor update for Mac OS X Snow Leopard that fixes an issue users had with the operating system that downgraded them to an older version of Adobe Systems' Flash Player.

(Credit: Apple)

When Apple released Snow Leopard on August 28, it included an older version of Adobe's Flash plug-in that was known to have security issues. Sophos security expert Graham Cluley warned users of the downgrade and urged anyone who installed the operating system to upgrade immediately.

Snow Leopard 10.6.1 addresses this issue by updating the Flash Player plug-in to version 10.0.32.18, the most current, stable release from Adobe.

While that is the big news for Apple's first Snow Leopard update, the company did include some minor fixes as well. The new version includes improved compatibility with Sierra Wireless 3G modems and addresses an issue that caused some DVDs to stop playback.

Printer compatibility has been improved, and so has the automatic account setup in Apple's Mail application. An issue that affected Motion 4 becoming unresponsive has also been fixed.

Mac OS X 10.6.1 can be downloaded from Apple's support Web site or via the software update mechanism in Mac OS X.

If you're a criminal and you want to break into a network, a common attack method is to exploit a hole in software that exists on most computers, has its fair share of holes, and isn't automatically updated.

In 2002, that would have been Windows. Today, it's likely to be Adobe Reader or Flash Player, whose share of vulnerabilities and exploits are on the rise while Microsoft's is falling.

Nearly half of targeted attacks exploit holes in Acrobat Reader, which is used to read PDF (portable document format) files, according to F-Secure. Meanwhile, the number of PDF files used in dangerous Web drive-by attacks jumped from 128 during the first three and a half months of last year to more than 2,300 during that time this year, the company said.

In addition, there are more and more zero-day holes, vulnerabilities that are public before a patch is available. Like sitting ducks, users of affected software are left wide open to attack until a fix is available.

There have been zero-day exploits for the Flash Player plug-in, used for viewing rich media like videos and interactive charts on Web sites. And in one case this spring, a zero-day hole in Adobe Reader spurred security experts to recommend that users disable JavaScript.

One security researcher at Black Hat last week, who asked to remain anonymous, said: "As a result of the number of zero-day attacks on PDFs this year, large banks hate Adobe."

F-Secure said it identified about 1,967 targeted attack files in 2008, the most popular type being .doc used in Microsoft Word.

(Credit: F-Secure)

Those scary statistics prompted F-Secure researcher Mikko Hypponen, chief research officer at F-Secure, to urge Adobe Reader users to switch to an alternative PDF reader at the RSA show in April.

Adobe "has a lot to learn from, of all places, Microsoft," Hypponen said at the time. At the Black Hat and Defcon security shows last week, others concurred.

"Adobe is the next Microsoft," said Roel Schouwenberg, a senior antivirus researcher at Kaspersky. "They are slowly realizing that they have become a main vector of getting into a machine...We as an industry must push hard" to get Adobe to improve security.

An Adobe manager said the problem stems from the fact that it's software is so broadly used.

"It's only natural, given the fact that some of our products like Reader and Flash Player are some of the most widely distributed on Earth, that they would be targeted by attacks," Brad Arkin, director for product security and privacy at Adobe, said in an interview on Wednesday.

Microsoft has been in the same boat, and in many ways still is. The difference is in how the companies respond to the problem, experts said.

Microsoft: Been there, done that
In January 2002, Bill Gates launched the Trustworthy Computing initiative and said security would be a top priority for the company. Microsoft had to do something to combat the negative press and public opinion over its whack-a-mole strategy for countering the viruses and other security holes that plagued its software.

The company established a Security Development Lifecycle program, designed to build security into the software, that has become the standard others in the industry follow. It is roundly lauded for its efforts.

During the first three months of 2009, F-Secure discovered 663 targeted attack files, the most popular type being PDF. The change from the previous year is primarily due to the fact that there have been more vulnerabilities in Adobe Acrobat/Reader than in Microsoft Office, F-Secure said.

(Credit: F-Secure)

Now it's Adobe's turn to step up to the plate.

"Microsoft is a model for patch management...they were forced into it. They really turned around," Hypponen said in an interview last week at Black Hat. "Now, Flash and Reader are ubiquitous and it's harder and harder to target Microsoft, so the attackers are looking for easier targets."

In particular, Adobe's patching process isn't as robust as Microsoft's, he and others said.

In all fairness, Adobe is on the right path. Prompted by a zero-day hole in Reader, Adobe decided in May to start releasing patches on a quarterly basis, and to schedule the updates to coincide with Microsoft's Patch Tuesday releases.

At the time of the Adobe announcement, Arkin said the company was reviewing "everything from our security team's communications during an incident to our security update process to the code itself." He also promised that users would "see more timely communications regarding incidents, quicker turnaround times on patch releases, and simultaneous patches for more affected versions as we move forward."

The company was the first third-party vendor to release a fix for software affected by a vulnerability in Microsoft's Active Template Library, which is used to build components for Web applications and which was being exploited, according to Arkin.

"We scoured the entire Adobe portfolio and evaluated more than 200 products in the field today to determine which might be vulnerable," he said, adding that fixes for Shockwave Player and Flash Player shipped within weeks.

A zero-day exploit targeting Reader and Acrobat that Adobe learned about on April 27 was fixed about two weeks later, he said. And Adobe issued a patch last week for a critical Flash Player problem that was being exploited, allowing attackers to take over a computer via content viewed in a browser.

"We are quite happy with the performance on those," Arkin said of the time frame for the patches.

The company also has been turning an eye toward "digging into legacy code" and looking for additional ways to improve products overall he said. "Adobe integrates the best practices you see at Microsoft and other companies."

The security researcher who asked not to be named complained that at an architectural level, some Adobe applications have too much access to the operating system. "Why should something that operates on untrusted data have full access to your trusted data?" he asked, mentioning specifically Adobe Reader and its ability to access the hard drive to read and write files.

The program's functions require it to be able to save and open files on the file system and thus have read and write access to the hard drive, Arkin said. "Web browsers all have the ability to save to the file system," and the privileges between the two types of programs are similar, he added.

Security-versus-functionality trade-offs aside, changes in Adobe's products and processes will come in response to market pressures and not merely because it's the favorite target for attackers, said Bruce Schneier, chief technology officer of BT Counterpane.

"This is all very much a business decision, whether the company decides to take security seriously or not," he said, adding that he spent his day dealing with Adobe updates.

"I'd like to think that they would start realizing that they can use security as a selling point, but it took Linux to get Microsoft to do that. They felt they had competition," he said. "Is there a Linux waiting to affect Adobe?"

Not really, the experts agreed.

Dan Kaminsky, director of penetration testing at IOActive, praised Adobe for "reconfiguring itself" with regards to security issues and suggested critics should cut the company some slack.

"The PDF exploitation only recently blew up, and remember, it takes any software development house a while to really address problems," he said, adding that Flash 9 was much more secure than Flash 8.

"Does Adobe have products they need to lock down? Yes. Are they in the process of doing so? Yes. They did it for Flash and they'll do it for Reader," he said.

"There's always a 'most vulnerable' attack surface."

Adobe has released a patch for a critical Flash Player problem that could let attackers take over people's computers through content viewed in a browser.

The vulnerability affected a file that shipped with Flash Player 9.x and 10.x for Windows, Mac OS X, and Linux, and with Adobe Reader and Adobe Acrobat 9.x for Windows, Macintosh, and Unix. Adobe said Thursday it fixed the problem in a security advisory, and Adobe's Matt Rozen posted a note on Twitter that directed people to download the patched version from Adobe's Flash download site.

This was no abstract, theoretical vulnerability, either.

"There are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows," Adobe said in an earlier advisory about the problem.

Flash is very widely used in browsers to power features such as interactive stock charts and YouTube video streaming.

(Credit: Adobe)

Adobe said Thursday that it will issue fixes next week for a critical hole in Flash that is being exploited in attacks against Adobe Reader version 9 on Windows.

The vulnerability exists in current versions of Flash Player for Windows, Macintosh, and Linux and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for those same platforms, Adobe said in an advisory.

The vulnerability could cause a system to crash or allow an attacker to take control of the computer, Adobe said.

An update for Flash Player v9 and v10 for Windows, Mac, and Linux will be released by July 30, while a fix for Solaris is pending. Adobe should have an update for Reader and Acrobat v9.1.2 for Windows, Macintosh, and Unix by July 31.

An attacker can exploit the vulnerability by luring someone to a Web site hosting a specially crafted Shockwave Flash file, US-CERT said in an advisory Thursday.

"The Adobe Flash browser plug-in is available for multiple Web browsers and operating systems, any of which could be affected," CERT said. "An attacker could also create a PDF document that has an embedded SWF file to exploit the vulnerability. This vulnerability is being actively exploited."

The vulnerabilities can be mitigated by disabling the Flash plug-in or by using the NoScript extension for Mozilla Firefox or SeaMonkey to whitelist sites that can access the Flash plug-in, CERT said.

To disable Flash, US-CERT recommends:

• Disabling Flash in Adobe Reader 9 on Windows platforms by renaming the following files: "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll" and "%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll".

• Disabling Flash Player or selectively enabling Flash content as described in the "Securing Your Web Browser" document.

"Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF that contains SWF (Shockwave Flash) content," the Adobe advisory said.

Typically, the authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll or C:\Program Files\Adobe\Acrobat 9.0]\Acrobat\authplay.dll, Adobe said.

Windows Vista users can mitigate the impact of the exploit by enabling UAC (User Access Control), according to Adobe. Flash Player users should be careful when browsing unfamiliar Web sites.

Researchers on Wednesday reported that they had uncovered attacks in the wild in which malicious Acrobat PDF files were exploiting a vulnerability in Flash and dropping a Trojan onto computers.

The bug used in the exploit has been around since December 2008.

Researchers on Wednesday said they have uncovered attacks in the wild in which malicious Acrobat PDF files are exploiting a vulnerability in Flash and dropping a Trojan onto computers.

The situation could affect tons of users since Flash exists in all popular browsers, is available in PDF files, and is largely operating system-independent.

Any software that uses Flash could be vulnerable to the attack, according to Symantec. Adobe Reader is vulnerable because its Flash interpreter is vulnerable, said Paul Royal, principal researcher at Purewire, a Web security services provider.

In a post on its Web site, Adobe said it "is aware of reports of a potential vulnerability in Adobe Reader and Acrobat 9.1.2 and Adobe Flash Player 9 and 10. We are currently investigating this potential issue and will have an update once we get more information."

"The authors of the exploit have managed to take a bug and turn it into a reliable exploit using a heap spray technique," Patrick Fitzgerald writes on a Symantec Security blog post.

"Typically an attacker would entice a user to visit a malicious Web site or send a malicious PDF via e-mail," he writes. "Once the unsuspecting user visits the Web site or opens the PDF this exploit will allow further malware to be dropped onto the victim's machine. The malicious PDF files are detected as Trojan.Pidief.G and the dropped files as Trojan Horse."

It appears the exploit was first developed about two weeks ago, Royal said. The bug itself has been around since December 2008.

The hole is exploitable on Windows XP and Vista users are protected if User Account Control (UAC) is enabled, Symantec said.

US-CERT offered information about workarounds on its Web site:

• Disable Flash in Adobe Reader 9 on Windows platforms by renaming the following files: "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll" and "%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll".

• Disable Flash Player or selectively enable Flash content as described in the "Securing Your Web Browser" document.

HP is set to announce on Monday a free tool that developers can use to check for holes in the Flash applications they write, which can lead to data leaks and other security problems on Web sites.

HP SWFScan decompiles Flash applications and searches the code for vulnerabilities and violations of Adobe's best security practices guidelines, said Billy Hoffman, manager of HP's Web Security Research Group. The tool works with all versions of Flash.

With the Flash Player installed on more than 98 percent of Internet-connected computers globally, Flash applications are a popular target for attackers. HP analyzed nearly 4,000 Web apps developed with the Flash platform and found that 35 percent violate Adobe's security best practices.

For example, encryption keys and other sensitive data have been found inside client-side Flash code, Hoffman said.

Flash, traditionally used for creating animation and games, has been increasingly used for Web 2.0 apps destined for enterprise use, for which tighter security measures are required, he said.

Hoffman explains how a Flash app vulnerability can be exploited in this video.

This isn't the first tool aimed at Flash developers. IBM last month announced its Rational AppScan, which automatically scans Flash and Ajax-based applications for security defects. The standard version of that product costs $17,550 for a one-year license.

Last year, HP was called upon by Microsoft to develop a free tool, Scrawlr, that developers can use to test for SQL injection vulnerabilities in apps on Microsoft's ASP platform, according to Hoffman.

While developers are striving to write more secure Flash apps, Adobe occasionally is forced to deal with security holes in the Flash Player itself. For instance, Adobe recently issued a patch for a hole in the player that could allow an attacker to remotely take control of a computer.

Adobe released a patch for a Flash player hole this week that could allow an attacker to remotely take control of a computer.

The vulnerability is critical for one for Adobe Flash Player 10.0.12.36 and earlier versions, the company said in an advisory.

To exploit the vulnerability, a targeted user must load a malicious Shockwave Flash file, which can be done by social engineering the user or injecting malicious content into a compromised, trusted Web site, according to an advisory from security firm iDefense.

Internet Explorer and Firefox plug-ins can be used to temporarily block and unblock Flash content, iDefense said.

While Adobe was releasing news about the Flash vulnerability, more information was surfacing about the hole in Adobe Reader 9 and Acrobat 9 that was announced last week. A patch is due by March 11.

Security company Sourcefire, which released a patch of its own, told IDG News Service that it has found evidence of attacks exploiting the vulnerability for more than six weeks.

There were two critical vulnerabilities in Adobe Reader last year that resulted in remote code execution exploits, according to an entry on the IBM Internet Security Systems blog.

"Currently, we have only witnessed this [new] exploit in highly targeted attacks and have not detected this exploit utilized heavily in the wild yet," the blog entry said. "But it is unknown how long it will be before we see this spread quickly through malicious websites. Milw0rm just released proof-of-concept exploit code. So, we don't expect it to take long before this exploit moves beyond targeted attacks to malicious exploit toolkit integration and widespread exploitation."

IBM announced new software on Wednesday that scans Flash and Ajax-based apps for security problems.

IBM Rational AppScan can automatically scan online applications every 15 minutes to check for security defects that could lead to compromised computers and Internet attacks. Administrators can receive security alerts on their mobile devices as they occur.

The standard version of the product costs $17,550 for a one-year license. The software also supports service oriented architecture applications, IBM said.

More than half of all vulnerabilities disclosed last year were Web applications, according to IBM's X-Force Trend Report.

And Flash seems to get its share of vulnerabilities. The number of Flash vulnerabilities detected in Web applications over the last two years have increased by 300 percent compared with 2005 and 2006, according to the IBM X-Force report.

Adobe Flash Player is on more than 98 percent of Internet connected computers and is used to view 80 percent of the video on the Web, IBM said.

One of the spam messages using Obama's election to entice people to download malware.

(Credit: Sophos)

Within hours of settling the U.S. presidential election on Tuesday, spam seen worldwide began incorporating the name and image of Barack Obama, according to various security vendors. The U.K.'s Sophos reported 60 percent of all spam seen by the lab on Wednesday was in some way Obama related.

One piece of spam alleges to contain a link to video of Obama's acceptance speech. If you follow the video link within the e-mail message you will be taken to a Web page where you'll be asked to update your Adobe Flash Player with a file, adobe_flash9.exe, first. This is not an official Adobe update file and downloading this file may in turn infect your computer with a Trojan.

Sophos named the Trojan Mal/Behav-027. F-Secure named it W32/Papras.CL. Sunbelt Software also has a blog about this particular piece of spam.

Meanwhile, Websense is reporting a separate threat. An e-mail appears to be an interview with the new president elect. The e-mail features embedded links to a video site that attempts to install a file, BarackObama.exe. Downloading this file may infect your computer with a Trojan.