As expected, Adobe today patched a vulnerability in Adobe Reader disclosed last week by Google’s Project Zero. What was unexpected was a Flash Player update that includes a patch for a vulnerability being exploited in the wild, Adobe said.
Adobe had announced last Thursday in its pre-notification advisory that it would be issuing a security update for Adobe Reader and Acrobat, but no mention of the Flash update was made. Adobe has been busy shoring up Flash Player security with two updates in November, including an out-of-band emergency fix for a remote code execution vulnerability already included in a number of popular exploit kits. Earlier in November, Adobe patched 18 vulnerabilities in Flash Player as part of its regular update cycle.
Today’s patches affect version 15.0.0.239 and earlier, and 13.0.0.258 and earlier 13.x versions for Windows and Macintosh and 11.2.202.424 and earlier for Linux. All except the Linux bug received Adobe’s most severe priority warning. In all, the update patches six vulnerabilities, Adobe said, with the public exploit targeting CVE-2014-9163. Researcher bilou of HP’s Zero Day Initiative reported the issue to Adobe.
“These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system,” Adobe said in its advisory.
The Adobe Reader and Acrobat update patches 20 vulnerabilities, including CVE-2014-9150, which could allow an attacker to escape the Reader sandbox and attack the underlying computer.
On Dec. 1, researcher James Forshaw, a well-known bug-hunter and Project Zero member, went public with details of a sandbox escape vulnerability in Reader, as well as exploit code. Per its policy, Google’s security research team discloses vulnerability details 90 days after it shares those details with the vendor in question. In this case, the vulnerability was partially addressed earlier by Adobe after it was reported in August. Adobe tweaked Reader in order to make exploiting the vulnerability much more difficult. The flaw, however, had not been patched. Adobe’s adjustment to Reader in version 11.0.9 prevented the vulnerability from using the broker file system hooks to create directory junctions, Forshaw said.
The vulnerability is a race condition in the MoveFileEx call hook in Reader which, if exploited, bypasses the built-in sandbox and allows an attacker to write files in arbitrary locations. Today’s update patches the flaw in Adobe Reader 11.0.09 and earlier, and 10.1.12 and earlier, as well as Acrobat 11.0.09 and earlier, and Acrobat 10.1.12 and earlier for Windows and Macintosh, Adobe said.
Adobe also released security hotfixes for ColdFusion, its web application development platform. The update patches one vulnerability in ColdFusion 11 and 10 for Windows.
“These hotfixes address a resource consumption issue that could potentially result in denial of service for ColdFusion running on Windows,” Adobe said, adding it is not aware of public exploits.
ColdFusion 11 users should look for Hotfix version Update 3 and ColdFusion 10 should apply Hotfix version Update 15, Adobe said.
