Detecting the Recent Adobe 0-Day (APSA10-01) with Nessus

On June 4, 2010, Adobe announced a new attack being exploited in the wild that targeted Adobe products, and word spread quickly. Adobe’s security bulletin (APSA10-01) provided few details, but confirmed that attackers were actively exploiting a vulnerability that affected their Flash Player, Adobe Reader and Acrobat. The advisory provided some immediate mitigation techniques such as upgrading Flash Player to 10.1 RC or removing access to authplay.dll for Reader or Acrobat. These mitigations may not be practical for many environments due to upgrade policies or the fact that without authplay.dll, Reader and Acrobat will crash if loading a PDF that contains SWF content.

Tenable has already released two plugins that use a credentialed check on Windows systems to determine the version of Acrobat (Plugin 46851) or Reader (Plugin 46852) installed on a system, check for the presence of authplay.dll in the installation directory and warn if a vulnerable combination is detected for this issue. These plugins complement the older version detection plugins for Acrobat (Plugin 40797) or Reader (Plugin 20836) that can always be used to compare installed software to vulnerable versions listed in Adobe advisories, until more accurate detection plugins can be created.

On June 10, Tenable released plugins to detect the APSB10-14 upgrade for Adobe Air (Plugin 46858) and Flash (Plugin 46859). The Adobe upgrades for these two products fix the 0-day vulnerability in two of the four vulnerable products. Per the advisory, Adobe does not have an upgrade for Acrobat or Reader, but expects to by June 29. When Adobe makes the upgrades available, Tenable will update existing plugins or create new ones as required to verify a system is not vulnerable.

APSA10-01 “0-day” at a Glance:

• Date published: June 4, 2010
• CVE: 2010-1297 (assigned April 6)
• BID: 40586
• OSVDB: 65141
• Malware: Trojan.Pidief.J