ADE Security Update & Security of Old Versions

[bookmarked]

Today Adobe published a security bulletin and updates for ADE (Adobe Digital Editions). This issue affects "Adobe Digital Editions 4.5.0 and earlier versions" on Windows, Macintosh, iOS and Android. Adobe is categorizing this as a Critical vulnerability ("A vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware."), but with a low priority since, unlike Flash and Reader, ADE is not commonly targeted by malware.

Spoiler:

Quote:

Adobe Security Bulletin
Security update available for Adobe Digital Editions

Release date: March 8, 2016

Vulnerability identifier: APSB16-06

Priority: 3

CVE number: CVE-2016-0954

Platform: Windows, Macintosh, iOS and Android
Summary

Adobe has released a security update for Adobe Digital Editions 4.5.0 and earlier versions. This update resolves a critical memory corruption vulnerability that could lead to code execution.
Affected versions
Product Affected version Platform
Adobe Digital Editions 4.5.0 and earlier versions Windows, Macintosh, iOS and Android
Solution

Adobe categorizes this update with the following priority ratings and recommends users update their installation to the newest version:
Product Updated version Platform Priority rating Availability
Windows
3 Download Page
Adobe Digital Editions 4.5.1 Macintosh 3 Download Page
iOS 3 iTunes
Android 3 Playstore

Customers using Adobe Digital Editions 4.5.0 on Windows can download the update from the Adobe Digital Editions download page, or utilize the product’s update mechanism when prompted. Customers using Digital Editions for iOS and Android can download the update from the respective app store.

For more information, please reference the release notes.
Vulnerability Details

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2016-0954).
Acknowledgments

Adobe would like to thank Pier-Luc Maltais of COSIG (CVE-2016-0954) for reporting this issue and for working with Adobe to help protect our customers.

It appears that details on the vulnerability are being withheld until people have a chance to install the updated version of ADE (4.5.1). The CVE database still says this CVE number is "reserved." So, I'm not quite sure if "earlier versions" includes all older versions or just older versions of ADE 4.x.

This brings me to my question. IIRC, many of you have been holding off on upgrading beyond ADE 2.01 because of DRM issues with ADE 3 and newer. If that's correct, what are you doing to protect yourselves from security problems with the older versions?

Adobe doesn't list very many ADE vulnerabilities, Security Bulletins and Advisories - Adobe Digital Editions, but this bulletin shows a vulnerability in ADE 2.01 on Windows and Mac which is fixed in ADE 3. The oldest bulletin listed is for ADE 2.0.0 which is fixed by 2.0.1, so I'm not sure about any problems with 1.7.x.

The only thing I can think of to be safe with older versions is to change the settings in my browsers and operating systems so that ADE doesn't automatically open ACSM, PDF, and epub files. Any other ideas?

[JSWolf]

You are worrying about nothing. I've been using ADE 2.0.1 for a long time and I've never had an issue. I only download ACSM from bookstores and Overdrive. So just stick with 2.0.1and you'll be fine. DO not go with any version later than 2.0.1 or you could possibly be screwed by the DRM.

[GeoffR]

Quote:

Originally Posted by bookmarked

The only thing I can think of to be safe with older versions is to change the settings in my browsers and operating systems so that ADE doesn't automatically open ACSM, PDF, and epub files. Any other ideas?

Since it is a vulnerability that allows code to be executed, I would treat every file that ADE opens as if I was running an executable. I.e. don't use it to open books that come from untrusted sources.

I wouldn't rely on retailers/distributors checking whether the books they sell contain malicious code, so that means I would also need to trust the original publisher/creator of the book.

[Purple Lady]

I'm sticking with 2.0.1 because I don't want to worry about the new drm. I don't trust Adobe at all - how do I know there really is a risk? They could be trying to scare people into downloading the new version. Does this bug exist in 2.0.1 or was it introduced in later versions?

[DiapDealer]

I will staunchly refuse to worry about any ADE vulnerabilities. Much easier that way.

[AnemicOak]

Quote:

Originally Posted by DiapDealer

I will staunchly refuse to worry about any ADE vulnerabilities. Much easier that way.

[eschwartz]

Quote:

Originally Posted by DiapDealer

I will staunchly refuse to worry about any ADE vulnerabilities. Much easier that way.

[Fbone]

Off topic.

I just received notice my credit card was compromised again! This is the 5th time in less than a year. So, I've long realized that nothing is secure and we are all vulnerable.

[pidgeon92]

Quote:

Originally Posted by Fbone

Off topic.

I just received notice my credit card was compromised again! This is the 5th time in less than a year. So, I've long realized that nothing is secure and we are all vulnerable.

I've had this happen three or four times in the last several years. I now have all of my bank apps set to message me whenever any charge hits any of my cards. I get the ding on my Apple watch and iPhone almost immediately when I make a purchase. I did the same with my dad's Mastercard, and it got hit a couple of months ago. I was able to call the issuing bank and cancel the card immediately after receiving notification of a purchase I know he would not have made.

[kovidgoyal]

The standard way to run known insecure software is to run it inside a virtual machine created specifically for it. Make a snapshot of the machine state before the first time you run the software. Then after you finish using the software restore the VM snapshot.

While that is not 100% secure (it's possible for virtual machines to have security bugs allowing code to escape the virtual machine) it does make it much harder for malicious code to cause any damage.