Adobe announced this evening that the typical triumvirate of Adobe products, Adobe Flash, Adobe Acrobat, and Flash, are being exploited by a zero-day attack. The latest version of Adobe Flash, 10.45.2, and all minor versions of Adobe Reader 9 and Adobe Acrobat 9 could be crashed through a vulnerability and allow remote access to an affected machine. It is reported that this vulnerability is in the wild and is currently being exploited. These vulnerabilities are found in the Adobe products on the different platforms: Windows, Macintosh, and Linux.
Adobe Flash Player 10.0.45.2, 9.0.262, and earlier 10.0.x and 9.0.x versions for Windows, Macintosh, Linux and Solaris
Adobe Reader and Acrobat 9.3.2 and earlier 9.x versions for Windows, Macintosh and UNIX.
You can read more at the Adobe Security Advisory which will be updated when a fix is scheduled.
Adobe Flash 10.1, which is currently only in Release Candidate status, Adobe reports does not appear vulnerable. You can download it here: http://labs.adobe.com/technologies/flashplayer10
As for mitigating the risk with Adobe Reader and Acrobat 9.x, Adobe recommends taking the following steps:
Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.
The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:Program FilesAdobeReader 9.0Readerauthplay.dll for Adobe Reader or C:Program FilesAdobeAcrobat 9.0Acrobatauthplay.dll for Acrobat.
Adobe’s Product Security Incident Response Team blog has an article mentioning today’s security advisory.
Hopefully a patch will be released soon and the problem will be behind us. For now, you can follow the mitigation steps Adobe recommends. Adobe has a track record of responding to zero day exploits within 15 days.
In arguably good or bad timing, Brad Arkin was also featured in an article from Computerworld today that concludes that Adobe is heading in the right direction though the results will take some time to be visible.
Even so, Adobe deserves the hammering it’s gotten over security, he contends. “It’s fair to criticize, because you shouldn’t wait until your product causes your customers pain before you act. Every software company that doesn’t practice proactive security deserves to be criticized.”