Thursday, June 10, 2010

Adobe patches Flash, but Adobe Reader 9 remains unpatched

A nasty hole in Adobe Flash (all platforms: Windows, Mac, Linux) has been patched on the Windows version. A related hole in Adobe Reader 9 is still unpatched. I have patched my Adobe Flash players and am in the process of patching Flash on business client computers. For home users, links to the Flash patches can be found here: Adobe - Security Bulletins: APSB10-14 Security update available for Adobe Flash Player -- but network admins and those not wishing to use Adobe's magical "Download Mangler" should read to the end of this blog entry to find links to Flash patches they can distribute more easily.

To protect yourself if you run Adobe Reader 9, note that the vulnerability relates to Flash objects embedded inside PDF documents. Adobe Reader 8 (and earlier versions) can't play embedded flash objects and so is not vulnerable. To protect AR9, just rename authplay.dll, which according to Adobe: "(t)he authplay.dll that ships with Adobe Reader 9.x and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat." See Security Advisory for Flash Player, Adobe Reader and Acrobat (APSA10-01) for more information.

Consumer-friendly write-ups and notifications can be found on the following pages:

Adobe Flash Update Plugs 32 Security Holes — Krebs on Security
As promised, Adobe has released a new version of its Flash Player software to fix a critical security flaw that hackers have been exploiting to break into vulnerable systems. The update also corrects at least 31 other security vulnerabilities in the widely used media player software.

The latest version, v. 10.1, fixes a number of critical flaws in Adobe Flash Player version and earlier. Don’t know what version of Flash you’ve got installed? Visit this page to find out. The new Flash version is available for Windows, Mac and Linux operating systems, and can be downloaded from this link.

Note that if you use both Internet Explorer and non-IE browsers, you’re going to need to apply this update twice, once by visiting the Flash Player installation page with IE and then again with Firefox, Opera, or whatever other browser you use.
Adobe plugs 32 security holes in 'critical' Flash Player patch | ZDNet
Adobe has shipped a “critical” Flash Player update to fix a total of 32 documented vulnerabilities in the ubiquitous software product.

The Adobe Flash Player update comes on the heels of last week’s in-the-wild attacks against a zero-day hole in Adobe’s Reader and Flash Player product. This patch fixes that vulnerability along with 31 other serious security problems.
US-CERT Current Activity: Adobe Releases Flash 10.1
added June 10, 2010 at 08:00 pm

Adobe has released a Security Bulletin to address vulnerabilities in Adobe Flash Player and earlier versions and in Adobe AIR and earlier versions. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Adobe Security Bulletin APSB10-14 and to update to Adobe Flash Player 10.1 to help mitigate the risks.
Here are links to download the Flash patches directly, without going through Adobe's pages:Once you download these Flash patches, they can be installed without any further clicking by running them with the "/install" command-line switch.

No comments: