Support Overview

Help Desk

Online Service Request

Emergency IT Support

Security Alerts

Computer Usage Tips

Security Alerts

Security Warning: Critical Vulnerability in Adobe Flash, AIR, Reader, and Acrobat
6/10/2010

A vulnerability affecting Adobe Flash is being actively exploited on the Internet. Adobe Flash Player and other Adobe applications that include the Flash runtime, such as Adobe Reader 9 and Acrobat 9, are also affected. 

Adobe released a patch for Flash Player on June 10, 2010.  Flash is included in other products independent of Flash Player.  Windows/Microsoft Automatic Updates will not install the Flash Player patch.  A patch is not yet available for Adobe Reader or Acrobat.

This vulnerability is similar to the ones described in our Security Alerts: Security Warning: Adobe Reader and Acrobat Vulnerability Being Exploited 12/21/2009 and Security Warning: Vulnerable Adobe Flash Being Exploited in The Wild 7/26/2009. The recommendations in those alerts provide some protection from this current vulnerability.

Threat Level

Warning:  Vulnerability is being actively exploited on the Internet.  Exploit code for this vulnerability is publicly available.

(A "warning" alert is for a situation that are currently occurring or conditions are right for the situation to occur soon.)

Severity:  High. An exploit could potentially allow an attacker to take control of the affected system.

Because Flash is ubiquitous and because exploit code is publically available, we will likely see attacks over the coming months that will attempt to exploit this vulnerability.

Affected Software

  • Adobe Flash Player 10.0.45.2 and earlier 10.x versions
  • Adobe Flash Player 9.0.262 and earlier 9.x versions
  • Adobe AIR 1.5.3.9130 and earlier versions
  • Adobe Reader 9.3.2 and earlier 9.x versions
  • Adobe Acrobat 9.3.2 and earlier 9.x versions

Other Adobe products that support Flash may also be vulnerable.

How Are Systems Compromised?

Systems could be exploited in two ways. The user can be lured into visiting a website leading to execution of malicious SWF file or executing a malicious PDF file. An attacker could also create a PDF document that has an embedded SWF file to exploit the vulnerability. A malicious PDF file could be sent to the user by some other means, such as e-mail.

A system without Flash Player can be compromised.

How Do I Protect My Computer

Enabling Automatic Updates in Windows will not get the patch for Flash Player (non-Microsoft products) installed. You can configure Flash Player for auto-update notification, but it might check only once every 30 days (plenty of time to get exploited) and, even with that notification, you have to take manual action to install the update.

Install the latest version of Flash Player (10.1) from
http://get.adobe.com/flashplayer/.  If you must use Flash Player 9 (perhaps because you are using an older operating system that does not support Flash Player 10), install Flash Player 9.0.277.0 or later from http://kb2.adobe.com/cps/406/kb406791.html. These updated versions of Flash Player are necessary, but not sufficient to completely protect your computer.

Update to Adobe AIR 2.0.2.12610 from http://get.adobe.com/air/.

Adobe expect to provide an update for Adobe Reader and Acrobat 9.3.2 by June 29, 2010.  Until a patch for Adobe Reader and Acrobat is available and installed, deleting, renaming, or removing access to the authplay.dll and rt3d.dll files that ships with Adobe Reader and Acrobat v9.x disables Flash and 3D & Multimedia support, but opening a PDF file that contains SWF content will cause the application to crash or display an error message.

Disable JavaScript in Adobe Reader.

Prevent Internet Explorer from automatically opening PDF documents.

Disable the displaying of PDF documents in the web browser.

Consider enabling Data Execution Prevention (DEP) in supported versions of Windows. While DEP is not complete protection, it an prevent the execution of attacker-supplied code in some cases.

Do not run with administrator rights for normal work to mitigate the impact of a potential exploit.

Ensure that virus protection definitions are up to date.

Exercise caution in browsing untrusted websites.

More Information

Security Advisories
Adobe Security Advisories: http://www.adobe.com/support/security/advisories/apsa10-01.html and http://www.adobe.com/support/security/bulletins/apsb10-14.html
US-CERT: http://www.kb.cert.org/vuls/id/259425, http://www.kb.cert.org/vuls/id/486225

Blogs
Adobe Product Security Incident Response Team:
http://blogs.adobe.com/psirt/2010/06/security_bulletin_-_adobe_flas_3.html

Managed Services

IT Professional Services deployed the Flash Player update and had disabled Java Script in Acrobat and Adobe Reader, disabled Internet Explorer automatically opening and displaying PDF documents via a group policy at all of our customers of Managed Care some time ago.  Managed Care customers are protected from this vulnerability.

Professional Services

If you need assistance installing protection from this vulnerability or a security assessment, IT Professional Services can help. Call our help desk.

Find out more about our managed care service.

To find out how vulnerable your network is schedule a free network security analysis today.

We at IT Professional Services (ITPS) hope that the information in this bulletin is valuable to you. ITPS believes the information provided herein is reliable. While care has been taken to ensure accuracy, your use of the information contained in this bulletin is at your sole risk. All information in this bulletin is provided "as-is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the bulletin are authored, recommended, supported or guaranteed by ITPS. ITPS shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Privacy Policy

© 2009-2013 IT Professional Services All rights are reserved.  (805) 650-6030