[<prev] [next>] [day] [month] [year] [list]
Message-ID: <62F4CA839CD14966B9C615D3EC9A3847@celsius>
Date: Wed, 10 Jul 2013 17:21:48 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <full-disclosure@...ts.grok.org.uk>
Subject: VULNERABLE (3rd party) components in Adobe Reader 11.0.03, and dangling reference to Acrobat.exe
Hi @ll,
the current Adobe Reader 11.0.03 installs the following VULNERABLE (3rd party)
components:
1. Adobe Flash Player Plugin 11.5.502.110
| X:\>filever.exe /S "%ProgramFiles%\Adobe\npswf*.dll"
| x:\program files\adobe\reader 11.0\reader\npswf*.dll
| --a-- W32i DLL ENU 11.5.502.110 shp 14,588,632 05-11-2013 npswf32.dll
Cf. <http://www.adobe.com/support/security/bulletins/apsb13-17.html>,
<http://www.adobe.com/support/security/bulletins/apsb13-16.html>,
<http://www.adobe.com/support/security/bulletins/apsb13-14.html>,
<http://www.adobe.com/support/security/bulletins/apsb13-11.html>
<http://www.adobe.com/support/security/bulletins/apsb13-09.html>,
<http://www.adobe.com/support/security/bulletins/apsb13-08.html>,
<http://www.adobe.com/support/security/bulletins/apsb13-05.html>,
<http://www.adobe.com/support/security/bulletins/apsb13-04.html>,
<http://www.adobe.com/support/security/bulletins/apsb13-01.html>
and <http://www.adobe.com/support/security/bulletins/apsb12-27.html>
The wise guys at Adobe missed 10 security updates of their own product!
2. MSVC++ 2008 runtime libraries 9.0.21022.8
| X:\>filever.exe /S "%SystemRoot%\WinSxS\msvc?90.dll"
| x:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvc?90.dll
| --a-- W32i DLL ENU 9.0.21022.8 shp 224,768 11-06-2007 msvcm90.dll
| --a-- W32i DLL ENU 9.0.21022.8 shp 568,832 11-07-2007 msvcp90.dll
| --a-- W32i DLL ENU 9.0.21022.8 shp 655,872 11-07-2007 msvcr90.dll
These DLLs have been updated several times since 2007-11-07, cf.
<http://support.microsoft.com/kb/973551> and
<http://support.microsoft.com/kb/973552> alias
<http://www.microsoft.com/technet/security/bulletin/ms09-035>
as well as <http://support.microsoft.com/kb/2467174> and
<http://support.microsoft.com/kb/2538243> alias
<http://www.microsoft.com/technet/security/bulletin/ms11-025>
JFTR: Adobe Reader XI was released 2012-09-24, more than one year after
MS11-025!
3. MSVC++ 2010 runtime libraries 10.0.40219.1
| X:\>filever.exe /S "%SystemRoot%\System32\msvc?100.dll"
| x:\windows\system32\msvcp100.dll
| --a-- W32i DLL ENU 10.0.40219.1 shp 421,200 02-19-2011 msvcp100.dll
| x:\windowsp\system32\msvcr100.dll
| --a-- W32i DLL ENU 10.0.40219.1 shp 773,968 02-19-2011 msvcr100.dll
Cf. <http://support.microsoft.com/kb/24671743> and
<http://support.microsoft.com/kb/2565063> alias
<http://www.microsoft.com/technet/security/bulletin/ms11-025>
JFTR: Adobe Reader XI was released 2012-09-24, more than one year after
MS11-025!
Unfortunately, the wise guys at Adobe don't know the platform on which their
product runs and include the MSVC++ 2008 and 2010 runtimes via MSI merge module.
Due to a well-known idiosyncrasy of Windows Update Agent M$FT components
installed via MSI merge module are NOT detected and thus not updated by M$FT ...
although M$FT advises their users to do so!
>From the FAQ section of
<http://www.microsoft.com/technet/security/bulletin/ms11-025>
| In the case where a system has no MFC applications currently installed but
| does have the vulnerable Visual Studio or Visual C++ runtimes installed,
| Microsoft recommends that users install this update as a defense-in-depth
| measure, in case of an attack vector being introduced or becoming known at
| a later time.
4. Additionally, the following dangling references to Acrobat.exe are created:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.acrobatsecuritysettings\OpenWithList\Acrobat.exe]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pdfxml\OpenWithList\Acrobat.exe]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AcroExch.Document.11\protocol\StdFileEditing\server]
@="\"Acrobat.exe\""
The latter allows the execution of a rogue program named "Acrobat.exe" from
CWD via OLE in the security context of the logged on user.
Cf. <http://technet.microsoft.com/security/advisory/2269637>
5. On Window XP the following superfluous registry entries are created:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}]
"Policy"=dword:00000003
"AppPath"="X:\\Program Files\\Adobe\\Reader 11.0\\Reader\\"
"AppName"="AcroBroker.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{358E6F10-DE8A-4602-8424-179CA217F8EE}]
"Policy"=dword:00000003
"AppPath"="X:\\Program Files\\Adobe\\Reader 11.0\\Reader"
"AppName"="AcroRd32Info.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}]
"Policy"=dword:00000003
"AppPath"="X:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\"
"AppName"="AdobeARM.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}]
"Policy"=dword:00000003
"AppName"="AdobeCollabSync.exe"
"AppPath"="X:\\Program Files\\Adobe\\Reader 11.0\\Reader"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}]
"Policy"=dword:00000003
"AppPath"="X:\\Program Files\\Adobe\\Reader 11.0\\Reader"
"AppName"="AcroRd32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A2397324-4D73-4870-A795-995C56F49FBD}]
"Policy"=dword:00000001
"AppPath"="X:\\Program Files\\Adobe\\Reader 11.0\\Reader"
"AppName"="arh.exe"
If the wise guys at Adobe know the platform on which their product runs
a little better they'd probably know that "Low Rights\Elevation Policy"
is supported on Windows Vista and later only.
Stefan Kanthak
PS: the "PDF Preview Handlers" which are installed unconditionally on
Windows XP are superfluous too (at least when Outlook 2007 is not
installed).
Cf. <http://msdn.microsoft.com/library/cc144143.aspx>
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pdf\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}]
@="{49400A7C-81A8-4F52-8CCE-D54739EE87EC}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49400A7C-81A8-4F52-8CCE-D54739EE87EC}]
"AppID"="{5D238751-7E51-4F24-9E7D-93C58881B20B}"
"DisplayName"="@\"X:\\Program Files\\Adobe\\Reader 11.0\\Reader\\pdfprevhndlrshim.exe\",-101"
@="Adobe PDF Preview Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49400A7C-81A8-4F52-8CCE-D54739EE87EC}\LocalServer32]
@="\"X:\\Program Files\\Adobe\\Reader 11.0\\Reader\\pdfprevhndlrshim.exe\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49400A7C-81A8-4F52-8CCE-D54739EE87EC}\ProgID]
@="PDFPrevHndlrShim.PDFPrevHndlrShim.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49400A7C-81A8-4F52-8CCE-D54739EE87EC}\Programmable]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49400A7C-81A8-4F52-8CCE-D54739EE87EC}\TypeLib]
@="{A58FB5B3-CF96-4C63-B0D2-232A1AEA1A1B}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49400A7C-81A8-4F52-8CCE-D54739EE87EC}\VersionIndependentProgID]
@="PDFPrevHndlrShim.PDFPrevHndlrShim"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}]
"AppID"="{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}"
@="Adobe PDF Preview Handler for Vista"
"DisplayName"="@X:\\Program Files\\Adobe\\Reader 11.0\\Reader\\pdfprevhndlr.dll,-101"
"DisableLowILProcessIsolation"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\InprocServer32]
@="X:\\Program Files\\Adobe\\Reader 11.0\\Reader\\pdfprevhndlr.dll"
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\ProgID]
@="PDFPrevHndlr.PDFPreviewHandler.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\TypeLib]
@="{0F6D3808-7974-4B1A-94C2-3200767EACE8}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\VersionIndependentProgID]
@="PDFPrevHndlr.PDFPreviewHandler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler]
@="Adobe PDF Preview Handler for Vista"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler\CLSID]
@="{DC6EFB56-9CFA-464D-8880-44885D7DC193}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler\CurVer]
@="PDFPrevHndlr.PDFPreviewHandler.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler.1]
@="Adobe PDF Preview Handler for Vista"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler.1\CLSID]
@="{DC6EFB56-9CFA-464D-8880-44885D7DC193}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlrShim.PDFPrevHndlrShim]
@="Adobe PDF Preview Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlrShim.PDFPrevHndlrShim\CLSID]
@="{49400A7C-81A8-4F52-8CCE-D54739EE87EC}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlrShim.PDFPrevHndlrShim\CurVer]
@="PDFPrevHndlrShim.PDFPrevHndlrShim.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlrShim.PDFPrevHndlrShim.1]
@="Adobe PDF Preview Handler"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlrShim.PDFPrevHndlrShim.1\CLSID]
@="{49400A7C-81A8-4F52-8CCE-D54739EE87EC}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PreviewHandlers]
"{49400A7C-81A8-4F52-8CCE-D54739EE87EC}"="Adobe PDF Preview Handler"
"{DC6EFB56-9CFA-464D-8880-44885D7DC193}"="Adobe PDF Preview Handler for Vista"
Powered by blists - more mailing lists