Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Yet another Adobe Flash/Reader/Acrobat 0 day SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Yet another Adobe Flash/Reader/Acrobat 0 day

Adobe released that a so far unpatched vulnerability has been used in recent targeted attacks.

Flash Player is vulnerable, as is the flash player component used to execute flash in Adobe Reader / Acrobat. Adobe Reader X is vulnerable bu but not exploitable. 

At this time, according to Adobe, the attack is performed using Flash files embedded in Word documents. 

Note that Flash may be embedded in other Office document formats like Excel. Adobe is not planning on an out of band patch at this point, as Adobe Reader X is not exploitable.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Defending Web Applications Security Essentials - SANS Cyber Defense Initiative 2021


4302 Posts
ISC Handler
Apr 11th 2011
I believe Acrobat Reader X is only not vulnerable if sandbox is enabled. I don't find anything that Reader X is not vulnerable if sandbox mode is not enabled. Do you have a link somewhere that describes this?
A little clarification: According to the advisory, it's only Adobe Reader X for Windows that is not exploitable. Adobe Reader X for Mac is.
Based on APSA11-02 it can be confusing. From what I read I agree Adobe X for Mac OSX is. They state
"We are in the process of finalizing a schedule for delivering updates for Flash Player 10.2.x and earlier versions for Windows, Macintosh, Linux, Solaris and Android, Adobe Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.2) for Macintosh, and Adobe Reader 9.4.3 and earlier 9.x versions for Windows and Macintosh. Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011."

If I remember correctly protected mode in MAC OSX is not fully implemented. May be useful but cannot remember off hand. -->

11 Posts
Hm, kind of deja-vu (Flah embedded into a DOC) looking at the RSA issue which has been claimed to be fixed:
The problem with Adobe's approach of using the sandbox as a crutch is that not everyone can use Protected Mode since it is still buggy. For example, try embedding a PDF into a Word document while having Reader X installed and Protected Mode enabled.
Is it just me or is their 'about' page no longer working?

68 Posts seems to be the new page which I was redirected to. It might be your browser is not taking the redirect due to a plugin (if it is firefox). If not, no clue. Better check for the Adobe root kit LOL.
Al of Your Data Center

80 Posts
Yeah I am redirected there as well..... but that page doesn't tell me anything about the version of Flash that I am running....

68 Posts
K-Dee, the 'about' page for Flash Player is now:

2 Posts
Thanks AE1!

68 Posts

Sign Up for Free or Log In to start participating in the conversation!