On April 11, Adobe released its monthly Patch Tuesday update, providing patches for 59 vulnerabilities across its software application product portfolio, fixing multiple issues first revealed at the Pwn2Own 2017 hacking contest in March.
The Adobe updates include seven security vulnerabilities in Flash Player (CVE-2017-3058, CVE-2017-3059, CVE-2017-3060, CVE-2017-3061, CVE-2017-3062, CVE-2017-3063, CVE-2017-3064), one in Adobe Campaign (CVE-2017-2989), two in Photoshop (CVE-2017-3004, CVE-2017-3005) and two in the Creative Cloud Desktop Application (CVE-2017-3006, CVE-2017-3007). In addition, there were 47 CVEs patched in the Adobe Reader PDF application this month.
Looking specifically at the Adobe Flash advisory, Brian Gorenc, senior manager of vulnerability research at Trend Micro, noted that five of the seven fixed issues came through Trend Micro's Zero Day Initiative (ZDI) program and two of the bugs (CVE-2017-3062 and CVE-2017-3063) were disclosed through Pwn2Own, which is operated by Trend Micro's ZDI.
The Pwn2Own event awards security researchers with cash prizes for demonstrating new zero-day exploits in software. At the Pwn2Own 2017 event, multiple groups of researchers targeted Adobe software as part of exploit chains. Tencent Security Team Sniper was awarded $40,000 by ZDI for demonstrating new flaws in Flash. Additionally, a team of researchers from Qihoo 360 Security was also able to exploit Flash with a different set of vulnerabilities that also earned the team $40,000 in awards.
Pwn2Own participants also took aim at Adobe Reader, with Qihoo 360 Security demonstrating a remote code execution flaw and Tencent Security exploiting use-after-free issues to gain code execution.
Looking at the April security advisory for Adobe Reader, Gorenc said 28 out of the 47 fixed issued came through ZDI, with three issues (CVE-2017-3055, CVE-2017-3056 and CVE-2017-3057) disclosed during this year's Pwn2Own contest.
"As of this Patch Tuesday, Adobe has resolved all of the issues disclosed to them during the Pwn2Own contest," Gorenc told eWEEK.
Beyond just the Pwn2Own event, ZDI purchases vulnerabilities from security researchers year-round and will likely continue to buy Adobe Flash and Reader vulnerabilities for the foreseeable future.
"As with any software, there will always be bugs," Gorenc said. "And as long as these vulnerabilities exist, ZDI will continue to buy them."
Pwn2Own Patch Status
Adobe is now the latest, but not the last, vendor to patch issues first disclosed at the Pwn2Own event. Both Mozilla and Ubuntu Linux rapidly patched issues within days of being notified by ZDI about new vulnerabilities. VMware patched Pwn2Own vulnerabilities that impacted its products at the end of March.
"We were happy to see the quick responses from [Mozilla] Firefox, VMware and Adobe," Gorenc said. "Consumers can use these quick responses as evidence of the vendor's commitment to ensuring their products are as secure as possible."
Among the other vendors that were directly targeted and exploited with zero-days at the Pwn2Own 2017 event was Microsoft. However, Microsoft has not been as quick as Mozilla, VMware, Ubuntu and Adobe to patch the Pwn2Own 2017 issues.
"Microsoft has not addressed any of the vulnerabilities disclosed to them during the Pwn2Own contest," Gorenc said.
While Microsoft has not yet patched its Pwn2Own flaws, it still has some time. The way that Pwn2Own works is that the vulnerabilities are privately disclosed to the vendor, with full details not immediately made public. ZDI has a 120-day disclosure policy, which aims to give vendors an adequate amount of time to patch issues.