bit-tech.net

Adobe warns of Flash, Acrobat attack

Adobe warns of Flash, Acrobat attack

This latest security flaw in Adobe's Flash technology will come as an embarrassing admission in its battle with Apple.

Adobe has one again entered the firing line with the news that its Reader, Acrobat, and Flash Player products are all vulnerable to a major flaw - and one which can leave systems vulnerable to attack by a remote cracker.

As reported by Sophos' Graham Cluley on his blog, Adobe this weekend issued a security advisory warning its users that a series of zero-day vulnerabilities in its software could leave them open to attack - regardless of the platform they're running.

The vulnerabilities - which are regarded by the company to be 'critical' - affect Adobe Reader, Acrobat, and Flash Player on Windows, Mac OS X, Linux, Solaris, and UNIX-based systems - in other words, every single platform the packages are currently available for.

The issue - which it is believed relates to the way that Acrobat handle ShockWave-format content embedded within files - can be mitigated by deleting the file authplay.dll from your installation directory. While this will result in Adobe Acrobat and Reader crashing should you open a PDF file containing ShockWave content, it'll prevent maliciously-crafted files from having their wicked way with your system.

Currently, there is no known workaround for the issue in Adobe Flash Player - although the company's director of product security Brad Arkin states that Adobe is working on a patch as quickly as possible. For now, the only way to be safe out there is to either uninstall the Flash Player plugins from your system, or to upgrade to the release candidate of Flash Player 10.1 which is not thought to be vulnerable.

These latest flaws - which echo a sad history of security vulnerabilities in the company's products - will do nothing to convince those on the fence regarding the company's public spat with Apple over the lack of support for Flash content on the iPhone platform that Adobe holds the high ground.

Do you think that this latest security vulnerability - in, let's face it, a long string - shows that Steve Jobs was right to deny Flash a foothold on the iPhone OS, or is anything as ubiquitous as Adobe's Flash and PDF technology bound to get targeted by those with evil intent? Share your thoughts over in the forums.

7 Comments

Discuss in the forums Reply
jrs77 7th June 2010, 11:06 Quote
That's exactly the problem with PlugIns...

...they add security-risks.
Bakes 7th June 2010, 11:10 Quote
This article suffers from a classic case of putting two and two together to make five.

The problem is to do with Acrobat incorrectly handling embedded SWF files. It's not a vulnerability in either Flash or Shockwave so-to-speak, merely in the way that Adobe has handled it in Adobe Reader.

As the guy from Sophos said, why would I ever want to open an SWF file in a PDF file? Sure, it could be useful for a few people in select situations, but until five minutes ago I never even knew it could be done! Adobe deserves to be criticized, but saying it's a reason not to use Flash is like saying that you shouldn't use the web because every browser has security holes and you could be hacked through one of them.

In terms of whether Steve Jobs could be right, the fact that Apple products are consistently shown to be insecure would make any justification based on security seem to be hypocritical.
For iPhone, I'm talking about sending an sms to crash the phone, sending an sms to take control of the phone, using a web page to view someone's sms', etc.
For Macs, I'm talking about using links that can take control of the system, emails that can take control of the system, etc.
At least Adobe knows that it needs to cut down on these embarrassing security problems. Apple has the benefits of security by obscurity, so it's security is never tested as much. Which never seems to stop hackers getting through Safari in less than ten minutes. Flash is installed on 99% of computers, according to Millward Brown, which makes it even more open to attack than Windows. It's unsurprising that security problems are found frequently, almost every system has vulnerabilities and bugs, and most of them are fixed by simply not running under an admin account.
Gareth Halfacree 7th June 2010, 11:40 Quote
Quote:
Originally Posted by Bakes
This article suffers from a classic case of putting two and two together to make five.

The problem is to do with Acrobat incorrectly handling embedded SWF files. It's not a vulnerability in either Flash or Shockwave so-to-speak, merely in the way that Adobe has handled it in Adobe Reader.
Sounds like you're struggling a bit with the mathematics yourself, there: the flaw exists in both Adobe Reader *and* Flash Player.

To quote Adobe: "A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems." (my emphasis)

HTH.
NuTech 7th June 2010, 11:44 Quote
Adobe, you're really not helping your case with Apple here. :(
Bakes 7th June 2010, 12:18 Quote
Quote:
Originally Posted by Gareth Halfacree
Quote:
Originally Posted by Bakes
This article suffers from a classic case of putting two and two together to make five.

The problem is to do with Acrobat incorrectly handling embedded SWF files. It's not a vulnerability in either Flash or Shockwave so-to-speak, merely in the way that Adobe has handled it in Adobe Reader.
Sounds like you're struggling a bit with the mathematics yourself, there: the flaw exists in both Adobe Reader *and* Flash Player.

To quote Adobe: "A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems." (my emphasis)

HTH.

Ah yes, but the vulnerability is only found when you are using Acrobat, it can only be exploited when Flash files are embedded in a PDF file. That's what I meant by 'so-to-speak', there is a vulnerability in Flash but it's dependent on other more important conditions before it can be properly exploited, it's entirely to do with the integration of Flash and Acrobat and the way that Acrobat handles Flash files. From what Adobe have said, there seems to be absolutely no problem with Flash applets in any web browser (with this specific exploit, anyway).
Showerhead 7th June 2010, 13:23 Quote
And that's why i don't use adobe reader. Unfortunately as a hige chuck of the internet uses flash i'm kinda stuck with it.
rickysio 7th June 2010, 13:29 Quote
Jobs : Kekekekekeke
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums