Adobe promises fix for critical Flash hole next week
Long hot weekend
Adobe has promised to fix a critical vulnerability in its Flash player software by the end of next week.
The flaw - which stems from a bug in a component of its Flash player software but also affects Adobe Reader and Acrobat - has become the focus of targeted hacking attacks over recent days.
As a result Adobe Flash player (versions 9 and 10) as well as Adobe Reader and Acrobat 9.1.2 on multiple platforms (Linux, Windows and Mac) all need patching.
Adobe said it would a release for the Flash Player flaw by Thursday (30 July) and for the Acrobat/Reader flaws by Friday (31 July).
Ahead of the promised fixes, Adobe published an advisory detailing workarounds here.
Security watchers have criticised the use of Flash within PDF document reader software as creating extra routes of exploitation of therefore greater danger.
"The vulnerable component is actually the Flash player or, better said, the code used by the Flash player which is obviously shared with Adobe Reader/Acrobat," an advisory by security researchers at the SANS Institute's Internet Storm Centre explains.
"This increases the number of vectors for this attack: the malicious Flash file can be embedded in PDF documents which will cause Adobe Reader to execute it OR it can be used to exploit the Flash player directly, making it a drive-by attack as well." ®
Can't come soon enough...
Adobe's advice is interesting, however terribly incomplete and to some degree bad advice. Going to the linked article from Adobe it tells users to delete/disable authplay.dll. Of course this is of no use to Maq, Linux, or Solaris users whatsoever. On Linux at least the file in question appears to be /opt/Adobe/Reader9/Reader/intellinux/lib/libauthplay.so and on Mac it appears to be /Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/AuthPlayLib.bundle. Of course, moving this file only protects you against malicious PDF's and not the Flash exploit.. And Adobe's advice for that? "Flash Player users should exercise caution in browsing untrusted websites." What the heck is a trusted site these days? And how are users to know if a site contains Flash??? I recommend using NoScript in the interim (http://noscript.net) to prevent flash from loading through ANY site until this hole is fixed.
Which leads to my next question.. When is Adobe going to provide tools to network admins to actually roll out these updates in a controlled manner? Without something better than a quarterly patch Tuesday its only a gesture towards really caring about the security of users of their products. These flaws are being actively exploited (http://www.sophos.com/blogs/sophoslabs/post/5524) so protect yourselves immediately!
Adobe can do better than this
The advice from Adobe is a bit lacking... Linux, Mac, and Solaris users are left to their own.. And I am not sure what an "untrusted website" is considering that many popular websites, ad networks, etc have been compromised the last 18 months.
Linux users should move their libauthplay.so somewhere or delete (usually in /opt/Adobe/Reader9/Reader/intellinux/lib). This does NOT protect against the Flash exploit, only against Flash in PDF files.
Mac users should move /Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/AuthPlayLib.bundle (Just use Spotlight to search for AuthPlayLib in Applications).
Windows, Mac, and Linux users should use something like NoScript (http://noscript.net) rather than follow Adobe's advice of "exercise caution in browsing untrusted websites". We published more info on our blog, as this is being actively exploited in the wild (http://www.sophos.com/blogs/sophoslabs/post/5524).
Chet Wisniewski (@chetwisniewski)
They promise a fix do they. Tell me how many years have they been working on the 64 bit flash for Windows ?