Security Advisory for Flash Player, Adobe Reader and Acrobat

[Poyzon]

Source: Adobe - Security Advisories: Security Advisory for Flash Player, Adobe Reader and Acrobat

Adobe Downloads Page: Adobe Labs - Downloads: Flash Player 10 Prereleases

WoW Forums post: World of Warcraft - English (NA) Forums -> We're vulnerable, too!!!

Quote:

Originally Posted by Adobe

Release date: June 4, 2010

Last updated: June 7, 2010

Vulnerability identifier: APSA10-01

CVE number: CVE-2010-1297

Platform: All

SUMMARY

A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat.

We are in the process of finalizing a fix for the issue, and expect to provide an update for Flash Player 10.x for Windows, Macintosh, and Linux by June 10, 2010. The patch date for Flash Player 10.x for Solaris is still to be determined. We expect to provide an update for Adobe Reader and Acrobat 9.3.2 for Windows, Macintosh and UNIX by June 29, 2010.

AFFECTED SOFTWARE VERSIONS

Adobe Flash Player 10.0.45.2, 9.0.262, and earlier 10.0.x and 9.0.x versions for Windows, Macintosh, Linux and Solaris
Adobe Reader and Acrobat 9.3.2 and earlier 9.x versions for Windows, Macintosh and UNIX

Note:
The Flash Player 10.1 Release Candidate available at Adobe Labs - Adobe Flash Player 10.1 is confirmed not vulnerable.
Adobe Reader and Acrobat 8.x are confirmed not vulnerable.

MITIGATIONS

Adobe Flash Player
The Flash Player 10.1 Release Candidate available at Adobe Labs - Adobe Flash Player 10.1 is confirmed not vulnerable.

Adobe Reader and Acrobat - Windows
Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader 9.x and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.

The authplay.dll that ships with Adobe Reader 9.x and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.

Adobe Reader 9.x - Macintosh

1) Go to the Applications->Adobe Reader 9 folder.
2) Right Click on Adobe Reader
3) Select Show Package Contents
4) Go to the Contents->Frameworks folder
5) Delete or move the AuthPlayLib.bundle file

Acrobat Pro 9.x - Macintosh

1) Go to the Applications->Adobe Acrobat 9 Pro folder.
2) Right Click on Adobe Acrobat Pro
3) Select Show Package Contents
4) Go to the Contents->Frameworks folder
5) Delete or move the AuthPlayLib.bundle file
Adobe Reader 9.x- UNIX
1) Go to installation location of Reader (typically a folder named Adobe)
2) Within it browse to Reader9/Reader/intellinux/lib/ (for Linux) or Reader9/Reader/intelsolaris/lib/ (for Solaris)
3) Remove the library named "libauthplay.so.0.0.0"

SEVERITY RATING

Adobe categorizes this as a critical issue.

DETAILS

A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat.

The Flash Player 10.1 Release Candidate available at Adobe Labs - Adobe Flash Player 10.1 is confirmed not vulnerable.

Adobe Reader and Acrobat 8.x are confirmed not vulnerable. Mitigation is available for Adobe Reader and Acrobat 9.x customers as detailed above.

Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.

We are in the process of finalizing a fix for the issue, and expect to provide an update for Flash Player 10.x for Windows, Macintosh, and Linux by June 10, 2010. The patch date for Flash Player 10.x for Solaris is still to be determined. We expect to provide an update for Adobe Readerand Acrobat 9.3.2 for Windows, Macintosh and UNIX by June 29, 2010. Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL: Adobe Product Security Incident Response Team (PSIRT) or by subscribing to the RSS feed here: Adobe Product Security Incident Response Team (PSIRT).

REVISIONS

June 7, 2010 - Update schedule information added, instructions for Macintosh and UNIX added to 'Mitigations' section
June 4, 2010 - Advisory released.

[Tim]

Whoa, an update to adobe reader and acrobat by the 29th? That is INSANE! I recommend everybody uninstall acrobat and adobe reader until then. The reason is that most major browsers (firefox, chrome, ie, etc) will auto-launch those readers if a webpage calls for it, which can happen by merely embedding into the website. Basically it means any website or flash can take advantage of the acrobat/reader vulnerability.

[TheMuffinMan]

Good thing I don't use Adobe Reader for opening PDFs. =) (and I updated my Flash)

[Nghtmr9999]

omgs, we should totally move to HTML5

</apple>

[Ualaa]

Kind of funny, after doing this security update, my dvd drive would not read a Stargate Atlantis disc which was already in the drive. Watch an episode last night, do the update, and then try to watch another one later that same evening.

Got the message that my current video driver would not allow the dvd to play protected content on the disc.

And then a video driver update done, and all is good again.

Just odd.

[Iru]

Steve Balmer is messing with you.....

[TheMuffinMan]

Quote:

Originally Posted by Ualaa

Kind of funny, after doing this security update, my dvd drive would not read a Stargate Atlantis disc which was already in the drive. Watch an episode last night, do the update, and then try to watch another one later that same evening.

Got the message that my current video driver would not allow the dvd to play protected content on the disc.

And then a video driver update done, and all is good again.

Just odd.

/offtopic
One of my favorite shows =) Cannot wait for them to bust out some Direct2DVD movies.