PDA

View Full Version : Yet another 0-day security hole - update now available


sidney
July 31st, 2009, 07:24 AM
This time the vulnerability is in Adobe Flash Player, Shockwave, and Adobe Reader, that latter because PDF files can now have embedded Flash and the bug is in the Flash player.

It is, once again, a serious vulnerability that has been seen in the wild with the potential of Flash based malware taking over your machine if you visit a site that has a malware flash content on it and you run the Flash content.

This is a cross-platform vulnerability, existing in the Windows, MacOS, Linux and Solaris versions of the Adobe products.

Adobe has just released updates for Flash Player and Shockwave. The update for Adobe Reader is supposed to be released within a day.

Get a new Flash Reader at http://get.adobe.com/flashplayer/
Get a new Shockwave (if you have an old one installed) at http://get.adobe.com/shockwave/

And to make it even scarier, what I said at the top is not strictly correct. The new version of Flash Reader does not fix a vulnerbility. According to the Adobe security announcement at http://www.adobe.com/support/security/bulletins/apsb09-10.html it fixes twelve newly discovered critical vulnerabilities!

The vulnerability in Shockwave is only on Windows and only in IE.

When the new Adobe Reader version is released the announcement at http://www.adobe.com/support/security/bulletins/apsb09-10.html will be updated to link to its download page.

Judy G. Russell
August 1st, 2009, 11:44 PM
This time the vulnerability is in Adobe Flash Player, Shockwave, and Adobe Reader, that latter because PDF files can now have embedded Flash and the bug is in the Flash player.And in Acrobat... which I am now off to update...

davidh
August 2nd, 2009, 02:57 AM
When the new Adobe Reader version is released the announcement at http://www.adobe.com/support/security/bulletins/apsb09-10.html will be updated to link to its download page. I'm assuming that a malicious Flash object could either be included in a PDF or downloaded by Reader after the PDF had been downloaded and opened in Reader.

If the latter is the case (i.e. SUBSEQUENT download), it might not be a bad idea to block access by Reader to the Internet in all cases in one's firewall or at least make the firewall query for permission to access internet.

IOW, preventative measures such as NoScript would be insufficient to protect against attacks OUTSIDE of Firefox.

ndebord
August 5th, 2009, 08:27 PM
Sidney,

Up until this year, I was a fan of Adobe... I now use Foxit Reader and Editor and only tolerate Flash. The idea that Adobe waited 7 months to fix a major flaw is either proof that they think their monopoly is flawproof or they've laid off too many programmers.

<sigh>