Adobe Security Advisory

October 28, 2010

Adobe Systems has released a new Security Advisory [APSA 10-05] for its Flash Player, Reader, and Acrobat software.    There is a critical security vulnerability present in all current versions of these packages, on all platforms (Windows, Mac OS X, and UNIX/Linux):

A critical vulnerability exists in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX operating systems, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh operating systems.

Adobe says that:

Adobe Reader and Acrobat 8.x are confirmed not vulnerable. Adobe Reader for Android is not affected by this issue.

The vulnerability is serious, and it appears that is is being exploited currently by Flash content embedded in PDF documents.

This vulnerability (CVE-2010-3654) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat 9.x. Adobe is not currently aware of attacks targeting Adobe Flash Player.

The announcement says that Adobe is working on a fix, and expects to deliver it by the middle of November.

The vulnerability is in a shared (DLL)  library, called authplay.dll on Windows systems,  AuthPlayLib on Mac OS X, and libauthplay.so.x.y.z on Linux.  Mitigation steps are detailed in the Security Advisory, but basically entail renaming, relocating, or removing this library.  This will in some cases cause a non-exploitable crash, when a document file using these features (even innocently) is opened.

I will post any updated information on this as I receive it.


Mozilla Updates Thunderbird

October 28, 2010

Mozilla has, in addition to the Firefox update I discussed in the last post, released a new version, 3.1.6, of its Thunderbird E-mail client, for Linux, Windows, and Mac OS X.  This update addresses the same vulnerability as the Firefox update; the risk for Thunderbird is lower, since the flaw can’t be exploited through normal E-mail usage.  More details of the update are in the Release Notes.   You can get the new version using the built-in update mechanism (Menu: Help / Check for Updates), or you can download an installation package here.

Although the risk from the patched vulnerability is not as great for Thunderbird as it is for Firefox, I do recommend installing this update as soon as you conveniently can.


Critical Firefox Update

October 28, 2010

Mozilla has released a new version, 3.6.12, of it Firefox browser, for Mac OS X, Linux, and Windows.  This update fixes a critical security vulnerability, which potentially allows a remote attacker to run arbitrary code on the target system.   You can get the new version via the built-in update mechanism (Menu: Help / Check for Updates); alternatively, you can download installation packages for all platforms, in many different languages.  Further information about the new version is available in the Release Notes, and specific information about the patched vulnerability is in the Security Advisory MFSA 2010-73.

Because of the seriousness of the flaw, and because there have reports of exploits for the flaw on the Internet, I recommend installing this update as soon as you can.

 


%d bloggers like this: