Release date: June 4, 2010

Last updated: June 7, 2010

Vulnerability identifier: APSA10-01

CVE number: CVE-2010-1297

Platform: All

Summary

A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat. This advisory will be updated once a schedule has been determined for releasing a fix.

Affected software versions

Adobe Flash Player 10.0.45.2, 9.0.262, and earlier 10.0.x and 9.0.x versions for Windows, Macintosh, Linux and Solaris
Adobe Reader and Acrobat 9.3.2 and earlier 9.x versions for Windows, Macintosh and UNIX

Note:
The Flash Player 10.1 Release Candidate available at http://labs.adobe.com/technologies/flashplayer10/ does not appear to be vulnerable.
Adobe Reader and Acrobat 8.x are confirmed not vulnerable.

MItigations

Adobe Flash Player
The Flash Player 10.1 Release Candidate available at http://labs.adobe.com/technologies/flashplayer10/ does not appear to be vulnerable.

Adobe Reader and Acrobat - Windows
Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.

The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.

Adobe Reader 9 - Macintosh

1) Go to the Applications->Adobe Reader 9 folder.
2) Right Click on Adobe Reader
3) Select Show Package Contents
4) Go to the Contents->Frameworks folder
5) Delete or move the AuthPlayLib.bundle file

Acrobat Pro 9 - Macintosh

1) Go to the Applications->Adobe Acrobat 9 Pro folder.
2) Right Click on Adobe Acrobat Pro
3) Select Show Package Contents
4) Go to the Contents->Frameworks folder
5) Delete or move the AuthPlayLib.bundle file

Adobe Reader - UNIX
1) Go to installation location of Reader (typically a folder named Adobe)
2) Within it browse to Reader9/Reader/intellinux/lib/ (for Linux) or Reader9/Reader/intelsolaris/lib/ (for Solaris)
3) Remove the library named "libauthplay.so.0.0.0"

Severity rating

Adobe categorizes this as a critical issue.

Details

A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat.

The Flash Player 10.1 Release Candidate available at http://labs.adobe.com/technologies/flashplayer10/ does not appear to be vulnerable.

Adobe Reader and Acrobat 8.x are confirmed not vulnerable. Mitigation is available for Adobe Reader and Acrobat 9.x customers as detailed above.

Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.

This advisory will be updated once a schedule has been determined for releasing a fix. Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL: http://blogs.adobe.com/psirt or by subscribing to the RSS feed here: http://blogs.adobe.com/psirt/atom.xml.

Revisions

June 7, 2010 - Instructions for Macintosh and UNIX added to 'Mitigations' section
June 4, 2010 - Advisory released.
http://www.adobe.com/support/securit...apsa10-01.html

Adobe has acknowledged a "critical" security flaw in its Reader, Acrobat and Flash Player software.

Adobe says the vulnerability potentially enables hackers to take control of affected computer systems.

Users running Windows, Macintosh or Linux might all be open to attack.

The company is working to fix the problem. In the meantime, users of Reader, Acrobat and Flash are advised to ensure their anti-virus software is up to date.

"It doesn't really get any worse than a 'zero-day' vulnerability like this," said Graham Cluley, senior technology consultant at Sophos, a security software company.

He said that hackers could create a "booby-trapped Flash animation, or PDF" that would give them access to a person's computer, potentially allowing them to harvest personal information or use the machine to send spam messages.

In recent years, PDFs have become a popular means of sharing documents that are not easily altered by the recipient.

Vulnerability exploited

In a security advisory, Adobe said: "There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat".

Whilst it works to fix the problem, the company suggested upgrading to the latest "release candidate" for the Adobe Flash Player, version 10.1, which it said "does not appear to be vulnerable".

Alternatively, the company said that Adobe Reader and Acrobat users could delete or rename the "authplay.dll" file on their system.

However, Adobe said that doing so meant that "users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF [Adobe Flash] content."

Mr Cluley said that keeping anti-virus software up to date would also help to avoid problems.

"There has been a long history of vulnerabilities being found in Adobe's products," he said.

"This is probably because they are everywhere and omnipresent."

Adobe estimates that more than 95% of computers worldwide have Flash Player installed.

Argument strengthened

Apple has been criticised for preventing its popular iPhone and iPad devices from viewing Adobe Flash animations and videos.

Apple boss Steve Jobs recently wrote an open letter explaining that Adobe's Flash was, amongst other things, "the number one reason Macs crash".

Mr Cluley said: "The more people who are concerned about Adobe's products and the ability for them to be written securely, the more it backs up Steve Jobs' argument that Adobe's software is buggy.

"The crux of the problem is that Adobe have overloaded some of their programs with so many bells and whistles, that with lots of code, there is a much higher chance that there will be a bug.

"This vulnerability exploits a feature of a PDF file format that will not be widely used.

"A simpler code might have led to a simpler life."
http://news.bbc.co.uk/2/hi/technology/10257411.stm