A Couple of Vulnerabilities Worth Mentioning

Mozilla has released Firefox 3.5.6, 3.0.16, and SeaMonkey 2.0.1 to address 7 newly-disclosed vulnerabilities. 

3 of the vulnerabilities are rated critical.


Adobe has acknowledged but won’t issue a patch for the recently disclosed “Zero-Day” remote code execution vulnerability in Reader and Acrobatuntil January 12, 2010, which is also the next Microsoft & Adobe Patch Tuesday.  

Many anti-virus products have already added detection for the specific attack that is now in the wild.  Enabling DEP for Acrobat or Reader on versions of Windows which support it limits the potential of the attack to a denial of service.   Individual users can disable JavaScript if they are sure they don’t need it, using Adobe’s instructions:

  1. Launch Acrobat or Adobe Reader.
  2. Select Edit>Preferences
  3. Select the JavaScript Category
  4. Uncheck the ‘Enable Acrobat JavaScript’ option
  5. Click OK

Enterprise users are going to be a challenge to deal with, however, Acrobat and Reader let you turn off specific features of JavaScript, allowing you to run other JavaScript programs while still mitigated.  On Windows the setting is made with a registry key.  On UNIX and Mac, with a line in a configuration file.  In both cases the vulnerable function is “DocMedia.newPlayer”.

The exploit itself is being passed around and is available (to Offensive Computing subscribers) here.  It also appears that development of a Metasploit module is underway already.  There goes the neighborhood…

EDIT:  How to disable Adobe Javascript using GPOs:  http://travisgreen.net/2009/05/disabling-javascript-via-gpo.html