Security Alerts
Security Warning: Critical Vulnerability in
Adobe Flash, AIR, Reader, and Acrobat 6/10/2010 A vulnerability
affecting Adobe Flash is being actively exploited on the Internet. Adobe Flash Player and other Adobe
applications that include the Flash runtime, such as Adobe Reader 9 and
Acrobat 9, are also affected. Adobe released
a patch for Flash Player on June 10, 2010. Flash is included
in other products independent of Flash Player. Windows/Microsoft
Automatic Updates will not install the Flash Player patch. A
patch is not yet available for Adobe Reader or Acrobat. This vulnerability is similar to the ones described in our Security Alerts: Security Warning: Adobe Reader
and Acrobat
Vulnerability Being
Exploited 12/21/2009 and Security Warning: Vulnerable Adobe Flash Being Exploited in The
Wild 7/26/2009. The recommendations in those alerts provide some protection from this current vulnerability.
Threat Level
Warning: Vulnerability is being
actively exploited on the Internet. Exploit code for this vulnerability is publicly available.
(A "warning" alert is for a situation that are currently occurring or
conditions are right for the situation to occur soon.)
Severity: High. An exploit could potentially allow an attacker to take control of the affected system. Because
Flash is ubiquitous and because exploit code is publically available,
we will likely see attacks over the coming months that
will attempt to exploit this vulnerability.
Affected Software - Adobe Flash Player 10.0.45.2 and earlier 10.x versions
- Adobe Flash Player 9.0.262 and earlier 9.x versions
- Adobe AIR 1.5.3.9130 and earlier versions
- Adobe Reader 9.3.2 and earlier 9.x versions
- Adobe Acrobat 9.3.2 and earlier 9.x versions
Other Adobe products that support Flash may also be vulnerable.
How Are Systems Compromised?
Systems could be exploited in two ways. The user can be lured
into visiting a website leading to execution of malicious SWF file or
executing a malicious PDF file. An attacker could also create a
PDF document that has an embedded SWF file to exploit the
vulnerability. A malicious PDF file could be sent to the user by
some other means, such as e-mail. A system without Flash Player can be compromised. How
Do I Protect My Computer Enabling
Automatic Updates in Windows will not get the patch for Flash Player
(non-Microsoft products) installed. You can configure Flash Player for auto-update notification,
but it might check only once every 30 days (plenty of time to get
exploited) and, even with that notification, you have to take manual
action to install the update. Install the latest version of Flash Player (10.1) from http://get.adobe.com/flashplayer/.
If you must use Flash Player 9 (perhaps because you are using an
older operating system that does not support Flash Player 10), install
Flash Player 9.0.277.0 or later from http://kb2.adobe.com/cps/406/kb406791.html. These updated versions of Flash Player are necessary, but not sufficient to completely protect your computer. Update to Adobe AIR 2.0.2.12610 from http://get.adobe.com/air/. Adobe expect to provide an update for Adobe Reader and Acrobat 9.3.2 by June 29, 2010. Until a patch for Adobe Reader and Acrobat is available and installed, deleting,
renaming, or removing access to the authplay.dll and rt3d.dll files that ships with
Adobe Reader and Acrobat v9.x disables Flash and 3D & Multimedia support, but opening a
PDF file that contains SWF content will cause the application to crash
or display an error message. Disable JavaScript in Adobe Reader. Prevent Internet Explorer from automatically opening PDF documents. Disable the displaying of PDF documents in the web browser. Consider enabling Data
Execution Prevention (DEP) in supported versions of Windows. While DEP
is not complete protection, it an prevent the execution of
attacker-supplied code in some cases. Do not run with administrator rights for normal work to mitigate the impact of a potential exploit. Ensure that virus protection definitions are up to date. Exercise caution in browsing untrusted websites. More Information
Security Advisories
Adobe Security Advisories: http://www.adobe.com/support/security/advisories/apsa10-01.html and http://www.adobe.com/support/security/bulletins/apsb10-14.html US-CERT: http://www.kb.cert.org/vuls/id/259425, http://www.kb.cert.org/vuls/id/486225
Blogs Adobe Product Security Incident Response Team: http://blogs.adobe.com/psirt/2010/06/security_bulletin_-_adobe_flas_3.html
Managed Services
IT Professional Services deployed the Flash Player update and had
disabled Java Script in Acrobat and Adobe Reader, disabled Internet
Explorer automatically opening and displaying PDF documents via a
group policy at all of our customers of Managed Care some
time ago. Managed Care customers are protected from this vulnerability.
Professional Services
If you need assistance installing protection from
this vulnerability or a security assessment, IT Professional Services
can help. Call our
help desk.
Find
out more about our managed care service.
To find out how vulnerable your network is
schedule a free network security analysis today.
We at IT Professional Services (ITPS)
hope that the information in this bulletin is valuable to you. ITPS
believes the information provided herein is reliable. While care has
been taken to ensure accuracy, your use of the information contained in
this bulletin is at your sole risk. All information in this bulletin is
provided "as-is", without any warranty, whether express or implied, of
its accuracy, completeness, fitness for a particular purpose, title or
non-infringement, and none of the third-party products or information
mentioned in the bulletin are authored, recommended, supported or
guaranteed by ITPS. ITPS shall not be liable for any damages you may
sustain by using this information, whether direct, indirect, special,
incidental or consequential, even if it has been advised of the
possibility of such damages.
|