Security Warning: Critical Vulnerability in
Adobe Flash, AIR, Reader, and Acrobat
affecting Adobe Flash is being actively exploited on the Internet. Adobe Flash Player and other Adobe
applications that include the Flash runtime, such as Adobe Reader 9 and
Acrobat 9, are also affected.
a patch for Flash Player on June 10, 2010. Flash is included
in other products independent of Flash Player. Windows/Microsoft
Automatic Updates will not install the Flash Player patch. A
patch is not yet available for Adobe Reader or Acrobat.
This vulnerability is similar to the ones described in our Security Alerts: Security Warning: Adobe Reader
Exploited 12/21/2009 and Security Warning: Vulnerable Adobe Flash Being Exploited in The
Wild 7/26/2009. The recommendations in those alerts provide some protection from this current vulnerability.
Warning: Vulnerability is being
actively exploited on the Internet. Exploit code for this vulnerability is publicly available.
(A "warning" alert is for a situation that are currently occurring or
conditions are right for the situation to occur soon.)
Severity: High. An exploit could potentially allow an attacker to take control of the affected system.
Flash is ubiquitous and because exploit code is publically available,
we will likely see attacks over the coming months that
will attempt to exploit this vulnerability.
- Adobe Flash Player 10.0.45.2 and earlier 10.x versions
- Adobe Flash Player 9.0.262 and earlier 9.x versions
- Adobe AIR 18.104.22.16830 and earlier versions
- Adobe Reader 9.3.2 and earlier 9.x versions
- Adobe Acrobat 9.3.2 and earlier 9.x versions
Other Adobe products that support Flash may also be vulnerable.
How Are Systems Compromised?
Systems could be exploited in two ways. The user can be lured
into visiting a website leading to execution of malicious SWF file or
executing a malicious PDF file. An attacker could also create a
PDF document that has an embedded SWF file to exploit the
vulnerability. A malicious PDF file could be sent to the user by
some other means, such as e-mail.
A system without Flash Player can be compromised.
Do I Protect My Computer
Automatic Updates in Windows will not get the patch for Flash Player
(non-Microsoft products) installed. You can configure Flash Player for auto-update notification,
but it might check only once every 30 days (plenty of time to get
exploited) and, even with that notification, you have to take manual
action to install the update.
Install the latest version of Flash Player (10.1) from
If you must use Flash Player 9 (perhaps because you are using an
older operating system that does not support Flash Player 10), install
Flash Player 9.0.277.0 or later from http://kb2.adobe.com/cps/406/kb406791.html. These updated versions of Flash Player are necessary, but not sufficient to completely protect your computer.
Update to Adobe AIR 22.214.171.12410 from http://get.adobe.com/air/.
Adobe expect to provide an update for Adobe Reader and Acrobat 9.3.2 by June 29, 2010. Until a patch for Adobe Reader and Acrobat is available and installed, deleting,
renaming, or removing access to the authplay.dll and rt3d.dll files that ships with
Adobe Reader and Acrobat v9.x disables Flash and 3D & Multimedia support, but opening a
PDF file that contains SWF content will cause the application to crash
or display an error message.
Prevent Internet Explorer from automatically opening PDF documents.
Disable the displaying of PDF documents in the web browser.
Consider enabling Data
Execution Prevention (DEP) in supported versions of Windows. While DEP
is not complete protection, it an prevent the execution of
attacker-supplied code in some cases.
Do not run with administrator rights for normal work to mitigate the impact of a potential exploit.
Ensure that virus protection definitions are up to date.
Exercise caution in browsing untrusted websites.
Adobe Security Advisories: http://www.adobe.com/support/security/advisories/apsa10-01.html and http://www.adobe.com/support/security/bulletins/apsb10-14.html
US-CERT: http://www.kb.cert.org/vuls/id/259425, http://www.kb.cert.org/vuls/id/486225
Adobe Product Security Incident Response Team:
IT Professional Services deployed the Flash Player update and had
disabled Java Script in Acrobat and Adobe Reader, disabled Internet
Explorer automatically opening and displaying PDF documents via a
group policy at all of our customers of Managed Care some
time ago. Managed Care customers are protected from this vulnerability.
If you need assistance installing protection from
this vulnerability or a security assessment, IT Professional Services
can help. Call our
out more about our managed care service.
To find out how vulnerable your network is
schedule a free network security analysis today.
We at IT Professional Services (ITPS)
hope that the information in this bulletin is valuable to you. ITPS
believes the information provided herein is reliable. While care has
been taken to ensure accuracy, your use of the information contained in
this bulletin is at your sole risk. All information in this bulletin is
provided "as-is", without any warranty, whether express or implied, of
its accuracy, completeness, fitness for a particular purpose, title or
non-infringement, and none of the third-party products or information
mentioned in the bulletin are authored, recommended, supported or
guaranteed by ITPS. ITPS shall not be liable for any damages you may
sustain by using this information, whether direct, indirect, special,
incidental or consequential, even if it has been advised of the
possibility of such damages.