Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Adobe Patches Vulnerabilities First Disclosed at Pwn2Own 2017

    By
    Sean Michael Kerner
    -
    April 12, 2017
    Share
    Facebook
    Twitter
    Linkedin
      Pwn2own 2017

      On April 11, Adobe released its monthly Patch Tuesday update, providing patches for 59 vulnerabilities across its software application product portfolio, fixing multiple issues first revealed at the Pwn2Own 2017 hacking contest in March.

      The Adobe updates include seven security vulnerabilities in Flash Player (CVE-2017-3058, CVE-2017-3059, CVE-2017-3060, CVE-2017-3061, CVE-2017-3062, CVE-2017-3063, CVE-2017-3064), one in Adobe Campaign (CVE-2017-2989), two in Photoshop (CVE-2017-3004, CVE-2017-3005) and two in the Creative Cloud Desktop Application (CVE-2017-3006, CVE-2017-3007). In addition, there were 47 CVEs patched in the Adobe Reader PDF application this month.

      Looking specifically at the Adobe Flash advisory, Brian Gorenc, senior manager of vulnerability research at Trend Micro, noted that five of the seven fixed issues came through Trend Micro’s Zero Day Initiative (ZDI) program and two of the bugs (CVE-2017-3062 and CVE-2017-3063) were disclosed through Pwn2Own, which is operated by Trend Micro’s ZDI.

      The Pwn2Own event awards security researchers with cash prizes for demonstrating new zero-day exploits in software. At the Pwn2Own 2017 event, multiple groups of researchers targeted Adobe software as part of exploit chains. Tencent Security Team Sniper was awarded $40,000 by ZDI for demonstrating new flaws in Flash. Additionally, a team of researchers from Qihoo 360 Security was also able to exploit Flash with a different set of vulnerabilities that also earned the team $40,000 in awards.

      Pwn2Own participants also took aim at Adobe Reader, with Qihoo 360 Security demonstrating a remote code execution flaw and Tencent Security exploiting use-after-free issues to gain code execution.

      Looking at the April security advisory for Adobe Reader, Gorenc said 28 out of the 47 fixed issued came through ZDI, with three issues (CVE-2017-3055, CVE-2017-3056 and CVE-2017-3057) disclosed during this year’s Pwn2Own contest.  

      “As of this Patch Tuesday, Adobe has resolved all of the issues disclosed to them during the Pwn2Own contest,” Gorenc told eWEEK.

      Beyond just the Pwn2Own event, ZDI purchases vulnerabilities from security researchers year-round and will likely continue to buy Adobe Flash and Reader vulnerabilities for the foreseeable future.

      “As with any software, there will always be bugs,” Gorenc said. “And as long as these vulnerabilities exist, ZDI will continue to buy them.”

      Pwn2Own Patch Status

      Adobe is now the latest, but not the last, vendor to patch issues first disclosed at the Pwn2Own event. Both Mozilla and Ubuntu Linux rapidly patched issues within days of being notified by ZDI about new vulnerabilities. VMware patched Pwn2Own vulnerabilities that impacted its products at the end of March.

      “We were happy to see the quick responses from [Mozilla] Firefox, VMware and Adobe,” Gorenc said. “Consumers can use these quick responses as evidence of the vendor’s commitment to ensuring their products are as secure as possible.”

      Among the other vendors that were directly targeted and exploited with zero-days at the Pwn2Own 2017 event was Microsoft. However, Microsoft has not been as quick as Mozilla, VMware, Ubuntu and Adobe to patch the Pwn2Own 2017 issues.

      “Microsoft has not addressed any of the vulnerabilities disclosed to them during the Pwn2Own contest,” Gorenc said.

      While Microsoft has not yet patched its Pwn2Own flaws, it still has some time. The way that Pwn2Own works is that the vulnerabilities are privately disclosed to the vendor, with full details not immediately made public. ZDI has a 120-day disclosure policy, which aims to give vendors an adequate amount of time to patch issues.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×