Adobe Flash Player DEP and ASLR bypass affects browsers and Adobe Reader

From Researchers penetrate last bastion of Windows security:

From Security Expert: Flash Is the Root of Browser Insecurity (Oh, and IE8 Isn't So Bad!):

Newer-format PDF files that have Flash embedded can also apparently be targeted, according to JIT Spraying in PDF:

 

Steps to disable embedded Flash content in PDFs opened with Adobe Reader 9+ are found at https://www.wilderssecurity.com/showthread.php?t=267029.

 

Flashblock for Chrome and Firefox wouldn´t help?

 

Any Flash blocking browser add-ons that block Flash content on webpages would be helpful for blocking malicious Flash content in webpages, but be careful about PDFs that a browser may automatically open using Adobe Reader (or maybe even other PDF viewers). Flash blocker browser add-ons won't stop embedded Flash content within PDFs, as far as I know. If your browser can automatically open a PDF, then you may be vulnerable to a drive-by PDF with malicious embedded Flash content that could evade DEP and ASLR.

 

Thanks for the articles. Hopefully everyone will consider them carefully. I think the first one, from last month, has been discussed elsewhere.

From the 2nd article:

Well, that cripples a lot of sites on the internet. Wouldn't just disabling Plugins protect against the remote code execution exploit? That is, the Flash object would not load by default:

​

Loading the Flash object also requires javascript to be enabled:

Code:

script type="text/javascript">
        
           var swfSRC = "/swf/photogallery.swf"
           
           flashvars.xml = '/2009/12/top-ten/top-ten-photogallery.xml';

           swfobject.embedSWF

        /script>

Wouldn't this be an additional protection against the remote code execution exploit for those who configure scripting per site? Wouldn't these configurations also take care of remote code execution flash exploits embedded in a PDF file? In Opera, for example, disabling "Plugins" globally takes care of both Flash and PDF.

Back to this site: with both Plugins and Javascript enabled, I see the photographs:

​

It's obvious that a decision must be made by the user. One would probably trust the National Geographic Site. But here is a similar message from a Facebook exploit, the Koobface trojan:

​

One would hope that the user would not succumb to the trick. Much would depend on the user's knowledge of how her/his plugins are updated, and, hopefully, knowing to do so only from the vendor's site.

Back to the remote code execution exploit: what happens if the user has Plugins and Javascript enabled? We would have to see the exploit in action to know, but based on previous such drive-by (remote code execution) Flash exploits, the payload would be a malware executable:

Security in place to block this type of payload is an added protection.

One of the points in the article is that most people have Flash enabled by default, but that doesn't negate the fact that there are solutions for the drive-by exploits (I present three here). Why don't these article ever point that out?

----
rich

 

Hopefully my previous post (which probably wasn't there yet when you started composing your last message) addresses this.

It's always good to highlight thoughts like these again .

 

Charlie Miller: The main thing is not to install Flash!

Pwn2Own 2010: interview with Charlie Miller.

 

Weren't you addressing Flash Block? What about Plugins in general? I don't know how Firefox works, but in Opera, you can configure per site,

​

and/or globally

​

Have you seen the exploit code for a PDF file with embedded Flash object? With Plugins disabled, wouldn't that prevent the PDF file from loading automatically? Hence, no Flash object triggered?

Anyway, my advice to home users always has been to configure PDF files to prompt for a download:

​

Using code from past exploits, I make a drive-by exploit and it generates the download prompt:

​

Wouldn't that be a good preventative measure against the drive-by exploit?

Again, I ask rhetorically, why these authors who like to present these vulnerabilities to the public don't discuss preventative measures, other than "switch browsers" or "don't install Flash." Not very helpful, IMO!

----
rich

 

No, but I didn't look either.

Sorry I don't know for sure, as I switched to Firefox last year.

It's probably best to also not have PDFs open automatically in the browser, as you already suggested, so that in any event having Opera Plugins turned on for a given site doesn't expose you to drive-by PDFs.

 

What is your advice to Firefox users as to configuring the browser to prevent the drive-by PDF exploit?

----
rich

 

In Firefox itself, in Tools->Options->Applications, I have almost every content type set to "Always ask."

In Adobe Reader, in Edit->Preferences->Internet, I have "Display PDF in browser" unchecked.

 

Thanks!

This takes care of Firefox and Opera.

Maybe users of IE, Chrome, and others, can post similar settings from their Options.

----
rich

 

I would add also that there are alternatives to Adobe Reader, such as Foxit and Nuance. While they or may not be more secure in and of themselves, the fact is that exploits are targeted specifically at Adobe Reader weaknesses.

And no matter which pdf reader you use, it is safer to disable javascript in the reader unless you must use some particular documents (such as some pdf forms) that require it.

 

Can these exploits assume root privileges in a LUA account?

 

if there is a privilege escalation vulnerability, holes in your LUA account, etc.