Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: Security Advisory for Flash Player, Adobe Reader and Acrobat SANS ISC InfoSec Forums

Special Webcast: What you need to know about the crypt32.dll vulnerability. Register Now

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Security Advisory for Flash Player, Adobe Reader and Acrobat

Adobe has released an advisory that a critical vulnerability exists for Windows, Macintosh, Linux and Solaris in the Adobe Flash Player version 10.0.45.2 and earlier as well as in the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe has received reports indicating this vulnerability is being actively exploited in the wild against Adobe Flash Player, Adobe Reader and Acrobat. The original security bulletin and suggested mitigations by Adobe is posted here.

Affected Versions

- Adobe Flash Player 10.0.45.2, 9.0.262, and earlier 10.0.x and 9.0.x versions for Windows, Macintosh, Linux and Solaris
- Adobe Reader and Acrobat 9.3.2 and earlier 9.x versions for Windows, Macintosh and UNIX

Not Vulnerable

- Flash Player 10.1 Release Candidate, can be downloaded here
- Adobe Reader and Acrobat 8.x are confirmed not vulnerable

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

 Guy

451 Posts
ISC Handler
Subscribe Jun 5th 2010
9 years ago
The page for the Release Candidate version of Flash 10.1 contains this text:

"Adobe® Flash® Player 10.1 is the first runtime release of the Open Screen Project that enables uncompromised Web browsing of expressive applications, content and video across devices."

Does putting the words "Adobe" and "uncompromised web browsing" in the same sentence constitute false advertising, a warranty or just wishful thinking on their part? :-)
 Anonymous
Quote Jun 5th 2010
9 years ago
So everyone is going to rush to queue up a Release Candidate of 10.1 to 'patch' this vulnerability? I think not...are we waiting for more 10.0.x.x updates, or will 10.1 be Release quality soon?
 Paul

44 Posts
Quote Jun 5th 2010
9 years ago
I decided to only run the flash un-installer that was provided on the RC page and see how painful or not it is to not have flash.

I also wonder if those that do install the RC will actually read the RC directions and do the un-install step first before installing the RC. And is the un-install just one of those preferred steps or a real requirement.
 FTWMike

24 Posts
Quote Jun 5th 2010
9 years ago
My attempt to do without flash didn't even last 2 hours. OpenDNS uses flash for some of it's 'stats' information. So RC7 (10.1) it is.
 FTWMike

24 Posts
Quote Jun 5th 2010
9 years ago
I imagine that a lot of web pages are probably broken without flash
 Guy

451 Posts
ISC Handler
Quote Jun 5th 2010
9 years ago
Adobe updated the bulletin to provide release dates for Flash (10 June) and Acrobat products (29 June).
 Guy
3 Posts
Quote Jun 8th 2010
9 years ago
Firefox users: use Flashblock extension to only allow Flash in your browser on a case-by-case basis, i.e. block it until you want it.
Guy
3 Posts
Quote Jun 9th 2010
9 years ago

Sign Up for Free or Log In to start participating in the conversation!