[ISN] Adobe claims it knew of 'Pwn to Own' bug

From: InfoSec News (alerts@private)
Date: Fri Apr 04 2008 - 01:01:59 PST


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9074719

By Gregg Keizer
April 3, 2008 
Computerworld

Security researchers at Adobe Systems Inc. claimed that they knew of a 
Flash bug before it was used to crack a Windows Vista laptop last week 
in the "Pwn to Own" hacker challenge.

Late yesterday, Adobe also said it had fixed the flaw and would patch 
the problem this month.

"After some internal investigation, we found that via our ongoing 
response and security testing process, we were aware of the issue and 
had fixed it for our security update coming in the next Flash Player 
update later this month," said Erick Lee, the manager of Adobe's secure 
software engineering team, in a post to the group's blog.

3Com Inc.'s TippingPoint unit, which ponied up the cash prizes awarded 
for hacking a MacBook Air and the Vista-powered Fujitsu laptop, acquired 
the vulnerabilities as part of the deal and reported them last week to 
Apple Inc. and Adobe.

At the CanSecWest security conference last Friday, Shane Macaulay, a 
consultant at Security Objectives, claimed a $5,000 prize by 
compromising the Fujitsu Ltd. machine using an exploit of the Flash 
vulnerability that Lee said had been known and fixed. According to 
TippingPoint, Macaulay took several hours to work up an attack, his 
difficulties caused by some of the defense-in-depth measures added by 
Microsoft Corp. to Service Pack 1 of Vista.

Neither Macaulay nor TippingPoint have discussed the Flash bug in more 
than general terms.

Lee downplayed the threat posed by the bug Macaulay used. "Adobe is not 
aware of any active exploits in wild," he said. "The security 
researchers have reported the information to us responsibly, giving the 
Flash Player team time to investigate and deliver a patch."

That patch will be issued as part of a previously scheduled update to 
Flash Player that is to intended to, among other things, fix a 
longstanding problem posed by .swf files, the Adobe proprietary 
Shockwave Flash format. The .swf bug, which was reported in December by 
a Google Inc. researcher, has left thousands of Web sites vulnerable to 
cross-site scripting attacks.

More than three weeks ago, Adobe alerted users that a Flash Player 
update was coming. Although it said the patches would not affect end 
users, it warned Web site designers and administrators that they would 
need to make numerous changes to how they deliver Shockwave Flash 
content or risk their sites "breaking" when the April update lands on 
users' desktops.

Adobe was not immediately available to answer questions about when it 
first knew of the bug and why it had not released it earlier.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Fri Apr 04 2008 - 01:07:11 PST