I'd like to call your attention (again) to a major Adobe bulletin that was released yesterday (actually, still today, if you're far enough behind GMT, but I'm sitting just a train ride away from Greenwich, UK).
In brief, the bulletin concerns the following CVE (Common Vulnerabilities and Exposures) issues:
- CVE-2009-1862
- CVE-2009-0901
- CVE-2009-2395
- CVE-2009-2493
- CVE-2009-1863
- CVE-2009-1864
- CVE-2009-1865
- CVE-2009-1866
- CVE-2009-1867
- CVE-2009-1868
- CVE-2009-1869
- CVE-2009-1870
Adobe categorizes the issues concerned as critical, and recommends:
- That users of Adobe Flash Player 9.x and 10.x and earlier versions update to Adobe Flash Player 9.0.246.0 and 10.0.32.18.
- That users of Adobe AIR version 1.5.1 and earlier versions update to Adobe AIR 1.5.2.
Among other issues, the update for Adobe Flash Player provides remediation for the vulnerabilities in the Microsoft Active Template Library (ATL) described in Microsoft Security Advisory 973882:
An update is also promised for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX by today.
As Graham Cluley rightly points out in his blog on the same topic, Adobe has become almost the target of choice among black hats recently. (No, I haven't got notification from Adobe yet: a good job I read other blogs, isn't it?)
Perhaps even more significant, though, is the interdependency between applications demonstrated here. In a complex operating environment like Windows, it isn't always practical to consider applications in isolation from each other: the ATL vulnerabilities highlighted at Blackhat affect both Adobe and Microsoft applications, and while the Flash Player update is a Good Thing, you also need the Microsoft update described here. While AV vendors are detecting some vulnerabilities proactively, you shouldn't rely on AV detection alone, as exploits can sometimes be tweaked so as to evade detection by specific products.
David Harley
Director of Malware Intelligence
