⤫ Kununu Ե Twitter Ƀ Tip Us?
Adobe Software Security Review
Wednesday, 01 June 2011
In recent years users of Adobe's popular software Adobe Acrobat, Adobe Reader and Adobe Flash faced some severe security problems. A search on cert-bund.de and further sources as well as a bug analysis is supposed to shed some light on this.

When performing a search on cert-bund.de/search one should enter the terms "+Adobe +Acrobat -Download", and provide the system with a date range for notices between 27.04.09 and 27.04.11 with 50 entries as a maximum [1]. The results page shows some 49 entries since October 2009 at the time of writing. The aforementioned search string is of course, intentionally inapt to filter the 26. April 2011 category 5 Adobe Flash, Acrobat, Acrobat Reader flaw (CB-K11/0196 Update 2) [2]. That one allowed arbitrary code execution, and all present versions of UNIX, Linux, MacOS X, Windows and Android which were able to run the specific software from Adobe were affected. The German federal CERT declared CB-K11/0196 as high-risk flaw which in general allows remote code execution as a high-privileged user, e.g. root or administrator.
Adobe internally referenced CB-K11/0196 in its Security Advisory section with vulnerability identifier APSA11-02 and APSB11-08 as well as CVE numbers CVE-2011-0611 and CVE-2011-0610 [3]. The company rated the vulnerability as critical, which means, that, if exploited it would allow malicious native-code to execute, potentially without the user being aware. The German federal CERT also lists three notices for April 2011 alone that are rated high-risk (category 5) [4]. Adobe further summarized the content of APSB11-08, quote: "There are reports that one of the vulnerabilities, CVE-2011-0611, is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat, as well as via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment targeting the Windows platform." Adobe also stated, that there are security updates for Adobe Acrobat (X) and Adobe Reader (X), whereat Adobe Reader (X)'s Protected Mode would prevent exploits of the type targeting CVE-2011-0611 from executing and its update has thus been scheduled exceptionally for June 14, 2011.

When further digging for CVE-2011-0611 using some search engines one may find an exhaustive report called "Apr 22 CVE-2011-0611 PDF-SWF Marshall Plan for the North" on contagiodump.blogspot.com [5]. That report suggests that a spam gang indeed actively exploits this vulnerability by sending a special crafted PDF file to potential victims. General message plus header and PDF file information ignored, the nearly half a megabyte in size reference document actually contains some malware. Interestingly Microsoft's malware scanner detects the malware correctly as "Exploit:SWF/CVE-2011-0611.I". The malicious code lies within the documents embedded Flash content which can be extracted for later analysis. Due to the fact that Flash often contains AS (ActionScript), a platform independent script language, malware authors love to use this as an attack vector. After exploitation a binary file called 'AcroRd32.exe' is being executed establishing connections to a system located in China.

In the case of CVE-2011-0611 and exploit "Exploit:SWF/CVE-2011-0611.A" the escalation seems to be triggered by operations which make use of a flaw within the ActionScript Virtual Machine (v1). Author "mmpc2" and Bruce Dang published the article "Analysis of the CVE-2011-0611 Adobe Flash Player vulnerability exploitation" on blogs.technet.com in mid April 2011 [6]. Within their article they describe that the attackers packaged the AVM1 code inside an AVM2 based Flash file and that the AVM2 code initially constructs a heap-spray buffer made of a NOP-sled. They further state, that the AVM2 code constructs a Win32 shellcode which is then loaded inside the Flash Player. After this the AVM1 code that triggers the vulnerability is loaded as a separate SWF file, converted from a hex-encoded embedded string [7]. In short the following happens afterwards: the shellcode Brute-forces its way to the Microsoft Word document’s file handle, then it retrieves the file path of the Microsoft Word document and decrypts a binary from the document. Later the shellcode decrypts an embedded .doc file, saves it, performs a dump of the document and finally terminates all processes with the name 'hwp.exe'.

At this point we at TRON-DELTA.ORG would like to give some advice to everybody working with computer systems, independent of profession or line of business.

1. We strongly recommend everyone, but especially end users not to open emails from untrusted sources or emails that seem suspicious to them, even if they apparently come from people they know.

2. We advise everybody, but especially decision makers in IT to roll out and run security enhanced operating systems and make use of FOSS software to view, print and collaborate on PDF files. This has nothing to do with ideology but conformance, efficiency and risk assessment.

3. We also encourage every single person to generate PDF/A documents whenever possible, no matter which OS or document readers used, and to avoid scripts within PDF documents at all costs.

Of course this does not necessarily solve the problems with Adobe Flash. In such a case we recommend to enforce policies to disable Flash in user agents (e.g. web browsers) [8]. If users have a factual demand for Flash they should one-click enable or disable the plugin for security reasons. Unfortunately there is not much to find in the Visible Web regarding that matter. On the one hand it seems like Adobe technologies are widely anticipated and on the other hand critical articles seem to be ranked low as soon as certain keywords are used. However the most crucial part is probably the software (esp. operating systems) in use and the skills (esp. risk awareness) of end users.
Last Updated (Wednesday, 15 June 2011)


  2016-10-07  ☾ 16:00 UTC




  ᐊ 1&1 INTR. AG  CDN


  Should ✛ΔO engage more
  in counter-intelligence?
⚫ Yes, there is a need for such operations.
⚫ No, because it may be very dangerous.


Press Cmd or Ctrl + D
Press Cmd or Ctrl + D


  Visitors: 581.000+ ℮


  25 Years of Linux



  Code Of Arms: Frankfurt


  Facility: open and operating
©  2003 - 2017   TRON-DELTA.ORG  (NGO)   –   Nongovernmental  Intelligence  Organization
Portal v5.04.010 R 1 on ✛ΔO LXCMS v1.1