Thursday, March 17, 2011

Another Adobe Flash vulnerability being exploited now

I have seen reports of a new flaw in Adobe Flash player in many places on the 'net over the past few days.

The US CERT discussion of it is unusually detailed (for CERT) and has some good suggestions:
  • US-CERT: Adobe Releases Security Advisory for Flash Player, Reader, and Acrobat
    added March 15, 2011 at 10:29 am

    Adobe has released a security advisory to alert users of a vulnerability affecting the following products:

    • Adobe Flash Player and earlier versions for Windows, Macintosh, Linux, and Solaris
    • Adobe Flash Player and earlier versions for Google Chrome users
    • Adobe Flash Player and earlier versions for Android
    • The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh.
    Exploitation of this vulnerability may allow an attacker to execute arbitrary code or cause a denial-of-service condition. At this time, the vendor has not released a fix for this vulnerability. The Adobe advisory indicates that this vulnerability is being actively exploited via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment.

    Adobe has indicated that it expects to release a fix for this vulnerability during the week of March 21, 2011. In the interim, users and administrators are encouraged to implement the following workarounds to help reduce the risks.
  • Disable Flash in the web browser as described in the Securing Your Web Browser document.
  • Disable Flash and 3D & Multimedia support in Adobe Reader 9 and later.
  • Disable JavaScript in Adobe Reader and Acrobat.
  • Prevent Internet Explorer from automatically opening PDF documents.
  • Disable the displaying of PDF documents in the web browser.

No comments: