Critical vulnerability found in Adobe Flash and Acrobat

Adobe has released an advisory regarding a critical vulnerability found in Flash and Acrobat.

The vulnerability, found in authplay.dll can allow an attacker to crash and potentially control an affected system. There is not currently an official patch, but Adobe has stated that renaming, deleting or controlling access to authplay.dll mitigates the threat and is a stop-gap until a patch can be released.

Affected versions include; Adobe Flash Player 10.0.45.2, 9.0.262, and earlier 10.0.x and 9.0.x versions for Windows, Macintosh, Linux and Solaris
Adobe Reader and Acrobat 9.3.2 and earlier 9.x versions for Windows, Macintosh and UNIX.

The Flash 10.1 release candidate does not "appear" to be affected, which seems to be pretty ambiguous wording for a potentially dangerous vulnerability. Adobe will be updating advisory information as a patching schedule becomes available.

Report a problem with article
Previous Story

Neowin Update: Welcome to Atlas2

Next Story

World of Warcraft detected as malware by Symantec

61 Comments

Commenting is disabled on this article.

I just made the switch to Ubuntu 10.04 and will never look back. I like the fact that I can use an OS that isn't targeted by every cretin to get behind a keyboard. Plus, the argument about windows sandbox doesn't hold water. Every browser was hacked @pwn2own except Chrome which is what I use. Linux, Chrome (charlie miller has stated almost impossible to get out of it's sandbox), Flash_Block. Not bullet proof but way more secure than windows or mac!

Lifeflayer said,
Since when did Nitro become preferred to Foxit? I've always thought Foxit was the alternative to Acrobat.

+1 Foxit is a great program but i am getting worried about it.

And you guys think HTML5 is some kind of a miracle that can not be hacked, of course once HTML5 is out, hackers will start targeting that

Master1 said,
And you guys think HTML5 is some kind of a miracle that can not be hacked, of course once HTML5 is out, hackers will start targeting that

Huh?

Master1 said,
And you guys think HTML5 is some kind of a miracle that can not be hacked, of course once HTML5 is out, hackers will start targeting that

You're aware that HTML 5 is not a plugin or piece of software you install right? It's a web standard mark up language that is one of the foundations of the internet.

Master1 said,
And you guys think HTML5 is some kind of a miracle that can not be hacked, of course once HTML5 is out, hackers will start targeting that

Master1, what have you been toking?

Any HTML5 browser will have a video codec installed by default, so a flaw in that video codec will expose all users to internet attacks, just like for the flash player.

This is another good reason not to have Flash on a mobile device. HTML5 is very good, people are just lazy and don't want to learn it. And yes I'm a developer and use Flex and Flash a lot, but HTML5 just seems cleaner.

Flash Professional doesn't have to be dropped, it could export content to HTML5, something I believe Adobe were testing. It must be so embarrassing for Adobe to have to release this information, almost as much as when their demo on Android crashed!

stenorman2001 said,
This is another good reason not to have Flash on a mobile device. HTML5 is very good, people are just lazy and don't want to learn it. And yes I'm a developer and use Flex and Flash a lot, but HTML5 just seems cleaner.

I can't see many users of flash completely ditching it due to one minor flaw. Also, it doesn't 'Appear' to affect the 10.1 RC and therefore has no bearing on the mobile version

Y.Light said,

I can't see many users of flash completely ditching it due to one minor flaw. Also, it doesn't 'Appear' to affect the 10.1 RC and therefore has no bearing on the mobile version

Yeah you've gotta love Adobe. "Appears to not be affected" doesn't sound promising. I assume they tested it? I'm not suggesting ditching Flash but this isn't an isolated flaw. We see this almost once a month now with Flash or PDF. For two formats that started life as read only they seem to have expanded just a little too far.

I personally think that Adobe is the biggest threat to computer security. We're in the age where there's 3 Operating System choices, all with different code bases and security models, yet they're all vulnerable because of Flash. I'm looking forward to the day when HTML5 is widely used.

this is adobe'sh. I don't care about a flash advert, but what about those, who uses Flex application? Should I tell my customers, that they have to stop using them until Adobe sometime in the future releases an update?

Well, I've learned my lesson. No more Flex applications. 3.5 SDK was the last one I've used. Period

10.1.53.64 is now RC7 How many RC`s do Adobe need for flash?

Looks like this is being actively exploited May be time to update to the 10.1 RC Branch!

Until it gets fixed install this addon in firefox

Flashblock
https://addons.mozilla.org/en-US/firefox/addon/433/

It's something you should probably use anyway. It stops flash from loading on pages. It is sometimes annoying but the best security usually is. It allows you to play the blocked flash content just by clicking play, or telling it to always trust flash from that site. In this case it stops random flash from loading when going to a bad site.

warwagon said,
Until it gets fixed install this addon in firefox

Flashblock
https://addons.mozilla.org/en-US/firefox/addon/433/

It's something you should probably use anyway. It stops flash from loading on pages. It is sometimes annoying but the best security usually is. It allows you to play the blocked flash content just by clicking play, or telling it to always trust flash from that site. In this case it stops random flash from loading when going to a bad site.

Yea I'm no security expert (yet, give me another 18 months to finish my degree) but I'd find it far safer to UNINSTALL the offending software, than install another piece of software. There's nothing to say that that software will close that vulnerability.

I mean surely hackers are using those addons and working around them.

cybertimber2008 said,
Yea I'm no security expert (yet, give me another 18 months to finish my degree) but I'd find it far safer to UNINSTALL the offending software, than install another piece of software. There's nothing to say that that software will close that vulnerability.

I mean surely hackers are using those addons and working around them.



It doesn't let the browser access flash content at all. The file is not even downloaded. So no flash vulnerability can circumvent this unless the user is dumb enough to click the button in an untrusted website.

cybertimber2008 said,
Yea I'm no security expert (yet, give me another 18 months to finish my degree) but I'd find it far safer to UNINSTALL the offending software, than install another piece of software. There's nothing to say that that software will close that vulnerability.

I mean surely hackers are using those addons and working around them.

Flashblock is legit, it's been around for a good while and simply removes flashes ability to even load i.e. as if you didn't have flash. So chances are it'll negate the effects of this flaw for the meantime.

warwagon said,
Until it gets fixed install this addon in firefox

Flashblock
https://addons.mozilla.org/en-US/firefox/addon/433/

+1. I never used this plugin until recently but found it to be awesome. Didn't know that it replaced the actual flash content with a play button until I tested it out -- thought it worked more like Adblock and would just strip the content away.

Security aside, just having better stability/faster page loading as a result of using the plugin makes it well worth it.

warwagon said,
Until it gets fixed install this addon in firefox

Flashblock
https://addons.mozilla.org/en-US/firefox/addon/433/

It's something you should probably use anyway. It stops flash from loading on pages. It is sometimes annoying but the best security usually is. It allows you to play the blocked flash content just by clicking play, or telling it to always trust flash from that site. In this case it stops random flash from loading when going to a bad site.

and when you will visit a legitimate site which is serving malicious ads (or has been hacked but not defaced), you will enable flash and get infected anyway... how secure is that!


or, better solution, switch to Internet Explorer for more security without even sacrifying usability!

UAC (or any limited account system) alone won't protect you from user mode malwares getting installed on your user profile through this flaw (this is true on any operating system, as most malware don't need admin/root privilege anymore to run)

However, as Internet Explorer (on vista/7) is the only browser that sandboxes Flash Player and adobe reader, users of Internet Explorer are safe, as this flaw CANNOT be exploited to write on the hard disk. (thus, no malware can be installed through this flaw). UAC must not have been disabled, otherwise IE sandbox is disabled too (protected mode off)

Note that although google chrome is sandboxed, flash running in chrome is NOT sandboxed (it is running in a separate process, outside the google chrome security sandbox!), making users of chrome as vulnerable as firefox, opera, safari, or IE running on XP

warwagon said,
Until it gets fixed install this addon in firefox

Flashblock
https://addons.mozilla.org/en-US/firefox/addon/433/

It's something you should probably use anyway. It stops flash from loading on pages. It is sometimes annoying but the best security usually is. It allows you to play the blocked flash content just by clicking play, or telling it to always trust flash from that site. In this case it stops random flash from loading when going to a bad site.

Ooooor... Just switch to opera, it has built in adblocking.

Its not ammo for Steve Jobs, there's bugs and security holes on Macs and every other piece of software out there. Its even hard to knock Flash for its stability issues, because I see that as more sloppy design and programming than flash per say, though there should be more systems in place to kill and restrain poor programs from dragging your comp/handheld down.

It is when it is Adobe. They have done very little to actually reassure "us" that they even care that their products have bugs. I seem to remember talk of a quarterly update some weeks ago.

Ambroos said,
Bugs exist, get over it. This is hardly news in my opinion.

It's more newsworthy that many of the "stories" on Neowin. 8P

buffer_hijack said,
o_O i am on ubuntu does it affect me?

if you have flash player or adobe reader installed, yes

the good news is no one care about linux. So, the hackers won't either. Nobody will spend time to develop a malware exploiting this flaw and working on less than 1% of computers.

link8506 said,

if you have flash player or adobe reader installed, yes

the good news is no one care about linux. So, the hackers won't either. Nobody will spend time to develop a malware exploiting this flaw and working on less than 1% of computers.

Oh please stfu about that shet. Freaking fanboi, that's why everyone hacks you guys

ZekeComa said,

Oh please stfu about that shet. Freaking fanboi, that's why everyone hacks you guys

just look at the facts : there is NOTHING preventing exploitation of flaws in firefox/flash player on linux. An usermode malware can be created to infected linux users through this flaw. However, as linux has less than 1% of market share, why would someone try to infect linux users when he can infect 50% of windows users?

by the way, users of Windows Vista/7 using internet explorer are safe from this kind of flaw since Internet Explorer is sandboxed, and flash player and adobe reader are also sandboxed within IE sandbox. This means no way to install a malware since the exploitation of a flaw won't give disk write access to the exploit...

Can't announcing a vulnerability without releasing a real patch be actually worse? Now everyone knows about it and exploits will most likely show up, before there's a fix.

amon91 said,
Can't announcing a vulnerability without releasing a real patch be actually worse? Now everyone knows about it and exploits will most likely show up, before there's a fix.

there is a fix, it is called Internet Explorer (on vista/7 flash and adobe reader are sandboxed through IE protected mode) ^^

seriously, a workaround is described in adobe advisory. That's better than simply waiting for the patch to be available without telling anything to customers while they are already at risk!

link8506 said,

there is a fix, it is called Internet Explorer (on vista/7 flash and adobe reader are sandboxed through IE protected mode) ^^

seriously, a workaround is described in adobe advisory. That's better than simply waiting for the patch to be available without telling anything to customers while they are already at risk!

Maybe he doesn't use internet exploder but he does have a point, stupid of Adobe to announce a vulnerability without patching it first.

JJ_ said,
stupid of Adobe to announce a vulnerability without patching it first.

Then on the flip side if Adobe did not release the ADVISORY before the patch and machines were infected en masse then they would be blamed for not releasing it. They did the right thing.

Jock Horror said,
it seems steve was right about flash

It'll be patched quicker than you can say "carpet bombing flaw in safari", which, coincidentally, hasn't been patched in the Windows version yet.

neo158 said,

It'll be patched quicker than you can say "carpet bombing flaw in safari", which, coincidentally, hasn't been patched in the Windows version yet.

owned lol nice reply

neo158 said,

It'll be patched quicker than you can say "carpet bombing flaw in safari", which, coincidentally, hasn't been patched in the Windows version yet.

This was fixed in Safari 3.1.2, back in 2008. Please verify your facts before posting.

stenorman2001 said,

This was fixed in Safari 3.1.2, back in 2008. Please verify your facts before posting.

Maybe you need to verify your facts, the flaw still exists as it wasn't patched properly in the Windows version of safari.

svnO.o said,

Really? Not 100% sure which is true or not (didn't look too far into it) but a quick search on Bing/Google I found this:
http://www.dhanjani.com/blog/2...mb-style-and-then-some.html

http://www.bing.com/search?q=carpet+bombing+flaw+safari+2010
http://www.google.com/#hl=en&source=hp&q=carpet+bombing+flaw+safari+2010

I should point out that this will happen with any browser, not just Safari. It will automatically prompt you on Windows as to whether or not you want to download the file, just like IE, Firefox and any other browser.

neo158 said,

Maybe you need to verify your facts, the flaw still exists as it wasn't patched properly in the Windows version of safari.

Sorry mate but have you used Safari lately? It will prompt you to download the file on Windows but won't automatically download it. The setting on the Mac is to download to the downloads folder automatically. Firefox and Chrome both act the same way. If you can see a different way of downloading files I'm sure everyone would like to know.

Besides, I much prefer it to IE constantly prompting you when you want to download a file. First the yellow box and the you get asked again. Very annoying and not so secure in that you end up training users to just accept it.

Better to stop the file launching once it's on the computer until the user accepts it - as is now the case on Windows and Mac OS X.

Jock Horror said,
it seems steve was right about flash

Too bad it took him a fair few years to fix that bug called "lack of multitasking may cause extreme anger".

stenorman2001 said,

I should point out that this will happen with any browser, not just Safari. It will automatically prompt you on Windows as to whether or not you want to download the file, just like IE, Firefox and any other browser.

Thanks for the clarification!

neo158 said,

It'll be patched quicker than you can say "carpet bombing flaw in safari", which, coincidentally, hasn't been patched in the Windows version yet.

First, making your browser download a lot of files isn't even in the same class as a vulnerability that can possibly give someone control of your system. So yeah, great comparison there.

Second, if you're going to argue that Apple takes too long to fix things that aren't even anywhere near as critical, at least argue it when you're not talking about a company like Adobe. Adobe is well known for not fixing bugs in their software.