Adobe Issues Flash Security Advisory

| News

Adobe Systems has issued a new security advisory for Flash Player, Adobe Reader, and Adobe Acrobat. The company has rated a new vulnerability as “critical,” and said that it could result in a crash of your system, and result in the bad guys taking over your computer.

The problem exists in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris, as well as Adobe Flash Player 10.1.95.2 and earlier versions for Android. Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Mac OS X. The problem also exists in the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Mac OS X.

Adobe also said that there are active exploits target the vulnerability in the wild for Acrobat and Reader, though there are no known active exploits for Flash Player.

Adobe said it expects to have a fix for the vulnerability for Flash Player 10.x for Windows, Macintosh, Linux and Android on November 9th, 2010, twelve days from now. A mere six days later, on November 15th, 2010, the company said it will have a fix for Adobe Reader and Acrobat 9.4 and earlier 9.x releases.

Flash

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

Lee Dronick

I am thinking that opening the infected PDFs in Preview would be safe, is that correct?

According to a document in Adobe’s website here is a work around, they call it a “mitigation,” for Acrobat. It entails deleting the AuthPlayLib.bundle file. Step-by-step instructions can be found the page I linked.

Tiger

Fuel for the fire.

Lee Dronick

Fuel for the fire.

Certainly more than a flash in the pan.

Nemo

My work around has been to disable Flash in all my web browsers and delete Adobe Reader from my system.  And so far that is working great.  No only am I protected from the malware that exploits the multiple security flaws in Adobe’s software, I don’t have to implement any of Adobe’s workarounds for the endless, serial security flaws in its ineptly designed software.

Tiger

Somebody’s been quiet so far. Won’t last long.

geoduck

Another vulnerability in an Adobe product just after they issued a patch for the last one?

I’m shocked, shocked I tell you.

ctopher

Hey now, Flash and Acrobat are complex tools that have advanced the state of the art in their respective fields. I don’t believe that Adobe is being lazy or doesn’t care, but they are under attack because their a nearly ubiquitous vector into systems.

Us Mac Fanboys need to rise above the level of our Windows brethren. One Windows zelot, upon learning that there was a Java worm that could infect a Macintosh system wrote:

*does the happy dance*

We’ve been saying it was only a matter of time and marketshare for a long time. I guess the magic number was 10%.

Maybe now the iSheep will finally shut up.

See DailyTech as an example.

MacKeeper_fan_Mod

Since previous year the only thing they do is offering of apologies and telling everybody that their security system is broken. Earlier they advised to use earlier versions of program and now they do opposite. And even with new updated version they doesn’t give a guarantee of safety. I have already got tired trying to understand their politics.

This battle will be long and common users will be slewed as always.

Lee Dronick

From Adobe:

“A critical vulnerability exists in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX operating systems, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh operating systems.

This vulnerability (CVE-2010-3654) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat 9.x. Adobe is not currently aware of attacks targeting Adobe Flash Player.”

The way I am reading this is that the vulnerability is in Flash and currently it is Flash content in Adobe Reader and Acrobat that is the vector. A PDF file without Flash content should be fine. Is that correct?

“This vulnerability (CVE-2010-3654) could cause a crash and potentially allow an attacker to take control of the affected system.”

Would not running as Administrator protect the user, unless they enter an admin login and password?

jfbiii

Is there any mac user that even uses Reader for pdfs anymore? Preview is so much faster and it comes without the infernal Adobe check for new software.

Lee Dronick

Is there any mac user that even uses Reader for pdfs anymore? Preview is so much faster and it comes without the infernal Adobe check for new software.

I don’t use Adobe Reader for reading PDFs, Preview for that and an increasingly number of other tasks. However, I occasionally use Acrobat, though not as much as in the past.

Log-in to comment