TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... DVLabs team members gave 20 presentations throughout 2010. Abstracts and slides are available here.

PWN to OWN Adobe patch released

This year’s PWN to OWN wrap up includes another record breaking update by the affected vendor. Adobe has released a Flash update which corrects the bug found by Shane Macauley that he used to exploit the Windows Vista laptop at CanSecWest, as well as correcting a number of other issues that Adobe had in the pipeline—including a similar Flash vulnerability discovered through the Zero Day Initiative (ZDI). The ZDI can confirm that this bug is exploitable cross-platform, so all users of Flash regardless of OS brand, should download the update.

According to Adobe’s blog, by the time they received the report from CanSecWest, they already had a working patch for the issue due to other bugs in the same area being fixed.
Our ZDI Disclosure team first notified Adobe of this issue on February 7th, and we are pleased to see the fast turn around time.

There is always a great amount of debate around legitimate companies purchasing previously unknown “zero day” vulnerabilities- either directly, or through a contest such as the PWN to OWN put on by CanSecWest organizers. While it can be difficult to see the value to consumers and customers that a program like the ZDI provides, I think that this is a shining example of that value.

If you have a look at a blog posting by Errata Security from November 12th of 2007, there is an interesting entry with some screen shots of a crash analysis in Flash 9 viewed using a WinDBG debugger in postmortem mode. At the time of the post, the author speculated it may be an “unexploitable double free” – a little closer look on their side, and they found that they indeed happened across an exploitable Flash vulnerability, which was weaponized and incorporated into their pen-testing tools and distributed to their customers.

I confirmed after the release of Adobe’s patch that the vulnerability discovered and eluded to on the blog post was, indeed, the same vulnerability used in the PWN to OWN contest. Errata Security has a non-disclosure policy regarding the vulnerabilities they uncover and incorporate into their tools, much like many other companies with similar tools such as ImmunitySec’s Canvas (although Canvas comes with a framework, while ErrataSec’s tool which is incorporated in the “Hacker Eye View Analysis Service” only comes with the exploits which they write.)

The moral of the story is that many exploitable, weaponize-able vulnerabilities are fairly easy to discover, especially in some of the 3rd party client-side applications which have not suffered the intense scrutiny of the core Operating Systems themselves. If I’m doing my math right here, 3 independent researchers were aware of this flaw beginning as early as November 2007. Where there are 3, there are certainly more, as the skillset and tools necessary to discover vulnerabilities continue to expand. Yet, the affected vendor (Adobe in this example) did not become aware of the flaw- and subsequently the risk to their customers- until two of the folks who found these flaws felt sufficient motivation to hand them over.

Tags: cansecwest,pwn2own,adobe
Published On: 2008-04-10 07:10:49

Comments post a comment

No comments.