Hi @ll, the current Adobe Reader 11.0.03 installs the following VULNERABLE (3rd party) components:
1. Adobe Flash Player Plugin 11.5.502.110 | X:\>filever.exe /S "%ProgramFiles%\Adobe\npswf*.dll" | x:\program files\adobe\reader 11.0\reader\npswf*.dll | --a-- W32i DLL ENU 11.5.502.110 shp 14,588,632 05-11-2013 npswf32.dll Cf. <http://www.adobe.com/support/security/bulletins/apsb13-17.html>, <http://www.adobe.com/support/security/bulletins/apsb13-16.html>, <http://www.adobe.com/support/security/bulletins/apsb13-14.html>, <http://www.adobe.com/support/security/bulletins/apsb13-11.html> <http://www.adobe.com/support/security/bulletins/apsb13-09.html>, <http://www.adobe.com/support/security/bulletins/apsb13-08.html>, <http://www.adobe.com/support/security/bulletins/apsb13-05.html>, <http://www.adobe.com/support/security/bulletins/apsb13-04.html>, <http://www.adobe.com/support/security/bulletins/apsb13-01.html> and <http://www.adobe.com/support/security/bulletins/apsb12-27.html> The wise guys at Adobe missed 10 security updates of their own product! 2. MSVC++ 2008 runtime libraries 9.0.21022.8 | X:\>filever.exe /S "%SystemRoot%\WinSxS\msvc?90.dll" | x:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvc?90.dll | --a-- W32i DLL ENU 9.0.21022.8 shp 224,768 11-06-2007 msvcm90.dll | --a-- W32i DLL ENU 9.0.21022.8 shp 568,832 11-07-2007 msvcp90.dll | --a-- W32i DLL ENU 9.0.21022.8 shp 655,872 11-07-2007 msvcr90.dll These DLLs have been updated several times since 2007-11-07, cf. <http://support.microsoft.com/kb/973551> and <http://support.microsoft.com/kb/973552> alias <http://www.microsoft.com/technet/security/bulletin/ms09-035> as well as <http://support.microsoft.com/kb/2467174> and <http://support.microsoft.com/kb/2538243> alias <http://www.microsoft.com/technet/security/bulletin/ms11-025> JFTR: Adobe Reader XI was released 2012-09-24, more than one year after MS11-025! 3. MSVC++ 2010 runtime libraries 10.0.40219.1 | X:\>filever.exe /S "%SystemRoot%\System32\msvc?100.dll" | x:\windows\system32\msvcp100.dll | --a-- W32i DLL ENU 10.0.40219.1 shp 421,200 02-19-2011 msvcp100.dll | x:\windowsp\system32\msvcr100.dll | --a-- W32i DLL ENU 10.0.40219.1 shp 773,968 02-19-2011 msvcr100.dll Cf. <http://support.microsoft.com/kb/24671743> and <http://support.microsoft.com/kb/2565063> alias <http://www.microsoft.com/technet/security/bulletin/ms11-025> JFTR: Adobe Reader XI was released 2012-09-24, more than one year after MS11-025! Unfortunately, the wise guys at Adobe don't know the platform on which their product runs and include the MSVC++ 2008 and 2010 runtimes via MSI merge module. Due to a well-known idiosyncrasy of Windows Update Agent M$FT components installed via MSI merge module are NOT detected and thus not updated by M$FT ... although M$FT advises their users to do so! >From the FAQ section of <http://www.microsoft.com/technet/security/bulletin/ms11-025> | In the case where a system has no MFC applications currently installed but | does have the vulnerable Visual Studio or Visual C++ runtimes installed, | Microsoft recommends that users install this update as a defense-in-depth | measure, in case of an attack vector being introduced or becoming known at | a later time. 4. Additionally, the following dangling references to Acrobat.exe are created: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.acrobatsecuritysettings\OpenWithList\Acrobat.exe] @="" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pdfxml\OpenWithList\Acrobat.exe] @="" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AcroExch.Document.11\protocol\StdFileEditing\server] @="\"Acrobat.exe\"" The latter allows the execution of a rogue program named "Acrobat.exe" from CWD via OLE in the security context of the logged on user. Cf. <http://technet.microsoft.com/security/advisory/2269637> 5. On Window XP the following superfluous registry entries are created: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B}] "Policy"=dword:00000003 "AppPath"="X:\\Program Files\\Adobe\\Reader 11.0\\Reader\\" "AppName"="AcroBroker.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{358E6F10-DE8A-4602-8424-179CA217F8EE}] "Policy"=dword:00000003 "AppPath"="X:\\Program Files\\Adobe\\Reader 11.0\\Reader" "AppName"="AcroRd32Info.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}] "Policy"=dword:00000003 "AppPath"="X:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\" "AppName"="AdobeARM.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3}] "Policy"=dword:00000003 "AppName"="AdobeCollabSync.exe" "AppPath"="X:\\Program Files\\Adobe\\Reader 11.0\\Reader" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578}] "Policy"=dword:00000003 "AppPath"="X:\\Program Files\\Adobe\\Reader 11.0\\Reader" "AppName"="AcroRd32.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A2397324-4D73-4870-A795-995C56F49FBD}] "Policy"=dword:00000001 "AppPath"="X:\\Program Files\\Adobe\\Reader 11.0\\Reader" "AppName"="arh.exe" If the wise guys at Adobe know the platform on which their product runs a little better they'd probably know that "Low Rights\Elevation Policy" is supported on Windows Vista and later only. Stefan Kanthak PS: the "PDF Preview Handlers" which are installed unconditionally on Windows XP are superfluous too (at least when Outlook 2007 is not installed). Cf. <http://msdn.microsoft.com/library/cc144143.aspx> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pdf\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}] @="{49400A7C-81A8-4F52-8CCE-D54739EE87EC}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49400A7C-81A8-4F52-8CCE-D54739EE87EC}] "AppID"="{5D238751-7E51-4F24-9E7D-93C58881B20B}" "DisplayName"="@\"X:\\Program Files\\Adobe\\Reader 11.0\\Reader\\pdfprevhndlrshim.exe\",-101" @="Adobe PDF Preview Handler" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49400A7C-81A8-4F52-8CCE-D54739EE87EC}\LocalServer32] @="\"X:\\Program Files\\Adobe\\Reader 11.0\\Reader\\pdfprevhndlrshim.exe\"" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49400A7C-81A8-4F52-8CCE-D54739EE87EC}\ProgID] @="PDFPrevHndlrShim.PDFPrevHndlrShim.1" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49400A7C-81A8-4F52-8CCE-D54739EE87EC}\Programmable] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49400A7C-81A8-4F52-8CCE-D54739EE87EC}\TypeLib] @="{A58FB5B3-CF96-4C63-B0D2-232A1AEA1A1B}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49400A7C-81A8-4F52-8CCE-D54739EE87EC}\VersionIndependentProgID] @="PDFPrevHndlrShim.PDFPrevHndlrShim" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}] "AppID"="{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}" @="Adobe PDF Preview Handler for Vista" "DisplayName"="@X:\\Program Files\\Adobe\\Reader 11.0\\Reader\\pdfprevhndlr.dll,-101" "DisableLowILProcessIsolation"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\InprocServer32] @="X:\\Program Files\\Adobe\\Reader 11.0\\Reader\\pdfprevhndlr.dll" "ThreadingModel"="Apartment" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\ProgID] @="PDFPrevHndlr.PDFPreviewHandler.1" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\TypeLib] @="{0F6D3808-7974-4B1A-94C2-3200767EACE8}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\VersionIndependentProgID] @="PDFPrevHndlr.PDFPreviewHandler" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler] @="Adobe PDF Preview Handler for Vista" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler\CLSID] @="{DC6EFB56-9CFA-464D-8880-44885D7DC193}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler\CurVer] @="PDFPrevHndlr.PDFPreviewHandler.1" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler.1] @="Adobe PDF Preview Handler for Vista" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlr.PDFPreviewHandler.1\CLSID] @="{DC6EFB56-9CFA-464D-8880-44885D7DC193}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlrShim.PDFPrevHndlrShim] @="Adobe PDF Preview Handler" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlrShim.PDFPrevHndlrShim\CLSID] @="{49400A7C-81A8-4F52-8CCE-D54739EE87EC}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlrShim.PDFPrevHndlrShim\CurVer] @="PDFPrevHndlrShim.PDFPrevHndlrShim.1" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlrShim.PDFPrevHndlrShim.1] @="Adobe PDF Preview Handler" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PDFPrevHndlrShim.PDFPrevHndlrShim.1\CLSID] @="{49400A7C-81A8-4F52-8CCE-D54739EE87EC}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PreviewHandlers] "{49400A7C-81A8-4F52-8CCE-D54739EE87EC}"="Adobe PDF Preview Handler" "{DC6EFB56-9CFA-464D-8880-44885D7DC193}"="Adobe PDF Preview Handler for Vista" _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/