backtop


Print 66 comment(s) - last by QueBert.. on Jun 9 at 5:10 AM

Exploit attacks Flash Player 9 and 10 as well as Reader/Acrobat 9.x

Steve Jobs has been on a crusade against Adobe Flash for quite sometime citing issues with performance, stability, and security. Today, Adobe is fueling Jobs' concerns and likely giving the Apple CEO fodder for his WWDC keynote which is coming up on Monday.

According to Adobe, there is a critical vulnerability in versions of Flash Player (Windows, OS X, Linux, Solaris) and Reader/Acrobat 9.x (Windows, OS X, UNIX). The exploit allow a hacker to gain control over an affected system.

Even more troubling is that Adobe says that it currently doesn't have a fix and "there are reports that this vulnerability is being actively exploited in the wild."

Adobe says that the following versions of its products are affected:

  • Adobe Flash Player 10.0.45.2, 9.0.262, and earlier 10.0.x and 9.0.x versions
  • Adobe Reader and Acrobat 9.3.2 and earlier 9.x versions

It should be noted however, that the current Release Candidate version of Flash Player 10.1 "does not appear to be vulnerable" to this exploit and Adobe Reader/Acrobat 8.x are also safe.

You can view Adobe's full advisory on the exploit here which also details steps to minimize the impact of the exploit with Reader/Acrobat 9.x.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

By stmok on 6/5/2010 10:31:59 PM , Rating: 0
Do you know what really annoys me? News sites posting how some specific piece of software has some security issue that *could* result in total system compromise; then they don't talk about what the user can do as temporary mitigation until its fixed! No wonder why people freak out!

From the Adobe Bulletin...

Adobe Flash Player
The Flash Player 10.1 Release Candidate available at http://labs.adobe.com/technologies/flashplayer10/ does not appear to be vulnerable.

Adobe Reader and Acrobat
Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.

The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.

To put it in plain English; you can address the issue by doing the following:
(1) Update to Flash Player 10.1 RC
(2) Find authplay.dll and either delete it; rename it; or use something like file/user permissions (set it to deny everyone access to it) or Software Restriction Policy or AppLocker to prevent access to this affected component.

I'm not sure about the latter part for Linux users...I do see a file called libauthplay.so ... Which is a symbolic link that points to libauthplay.so.0.0.0 ... Maybe change permissions/rename that file?




By Brandon Hill (blog) on 6/5/2010 10:39:44 PM , Rating: 3
Did you not read the last two paragraphs?


By stmok on 6/5/2010 10:46:52 PM , Rating: 1
I mean; include the needed details with your article, instead of posting links.


By FaaR on 6/6/2010 12:09:56 AM , Rating: 2
...Because it's so hard to just click a link?

Sheesh. You young people, in my day if we wanted information we had to WALK TO THE LIBRARY!!! ...Uphill! Both ways!


By PerfectAgent007 on 6/6/2010 1:41:22 AM , Rating: 2
IN THE SNOW!


By cscpianoman on 6/6/2010 8:18:14 AM , Rating: 2
Carrying your two younger cousins on your back.


By Anoxanmore on 6/7/2010 10:24:54 AM , Rating: 2
Barefoot!


By Joz on 6/7/2010 10:42:44 AM , Rating: 2
And a sanwdich and Supperman comic book was only 25 cents, total! Young whipersnappers!


By afkrotch on 6/7/2010 10:20:27 PM , Rating: 2
and the roads weren't paved back then.


"Vista runs on Atom ... It's just no one uses it". -- Intel CEO Paul Otellini

Related Articles













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki