Flash Flaw Gives Critics New Ammunition
Jun 7, 2010 11:47 AM PT
Adobe has reported a vulnerability in several of its applications. The flaw, which Adobe rates as "critical," exists in Flash Player, Adobe Reader and Acrobat 9.x running on most operating systems.
It could crash a victim's PC and let hackers take over the machine.
The flaw couldn't come at a worse time -- Apple has been criticizing some Adobe technologies, including Flash, in recent months for several reasons, one of which has been security. Together with Microsoft, Apple pushing HTML5 as an alternative to Flash.
The Adobe Vulnerability
The latest flaw, which Adobe has dubbed "CVE-2010-1297," exists in Adobe Flash Player 10.0.45.2 and earlier versions for the Windows, Macintosh, Linux and Solaris operating systems.
It also exists in the "authplay.dll" component that ships with Adobe Reader and Acrobat 9.x for Windows, Mac and Unix operating systems.
It could cause a crash and potentially allow an attacker to take control of a victim's system, Adobe warned.
However, Flash Player 10.1 Release Candidate doesn't appear to be vulnerable, Adobe said. This is available here. Users should upgrade to Flash Player 10.1 RC, Adobe spokesperson Wiebke Lips advised.
Adobe Reader and Adobe Acrobat 8.x also do not suffer from the latest vulnerability.
Adobe found out about the vulnerability Friday when it was informed that Flash Player and Acrobat were coming under attack.
"We received multiple notifications of attacks in the wild against Adobe Flash Player via malicious SWF files and Adobe Reader/Acrobat via PDF files with embedded SWF files," Adobe's Lips told TechNewsWorld. "We immediately issued a security advisory, which includes mitigation options."
The SWF file format delivers vector graphics, text, video and sound over the Internet. It is supported by Adobe Flash Player and Adobe Air.
Adobe is working on a fix and will let users know as soon as it is available, Lips said.
Working Around the Flaw
Users of Adobe Reader and Acrobat 9.x can mitigate the threat posed by the flaw by deleting, renaming or removing access to the "authplay.dll" file they ship with.
This file is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader. It is located at C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Adobe Acrobat.
However, this solution comes at a price -- users will experience a crash or error message when opening a PDF file that contains SWF content.
Hackers Home In on the Adobe Flaw
Security vendors Trend Micro and Symantec have already detected hackers launching attacks through the Adobe flaw.
Trend Micro has named malicious files exploiting the vulnerability "TROJ_PIDIEF.WX." Its Smart Protection Network detects and deletes the exploit.
Symantec has named the exploit "Trojan.Pidief.J." Symantec says the exploit is a PDF file that drops a back door Trojan onto a victim's computer if the computer has one of the affected Adobe products installed.
Symantec has also spotted an attack using a malicious SWF file, which it detects as a Trojan horse. Alternatively, the attack is used in conjunction with an HTML file Symantec detects as "Downloader" to download another piece of malware from the Internet. The security vendor detects that second piece of malware as "Backdoor.Trojan."
Victims could be hit in various ways, Symantec said. For example, they could receive an email with a malicious PDF attachment; or receive an email with a link to the malicious PDF file or to a website containing malware embedded in HTML code. Victims could also be hit when they stumble across a malicious PDF or SWF file while surfing the Web.
"Make sure operating systems and applications are updated with the latest patches," Paul Wood, a Symantec MessageLabs Intelligence senior analyst, advised.
Users should not open suspicious email attachments or attachments that aren't expected, Woods told TechNewsWorld.
Fanning the Anti-Adobe Flames
News of the flaw comes at an especially bad time for Adobe.
Back in April, Apple chairman and CEO Steve Jobs posted an open letter on his company's website accusing Adobe's products of lacking security and reliability, performing poorly and not being open, among other things. He recommended HTML5 as an alternative.
That triggered a war of words between Cupertino and Adobe, and Microsoft jumped in on Apple's side to support HTML5.
"This will add fuel to the Apple fire," Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld. "Apple has for a long time complained that one of the primary problems with Flash is that it's insecure and unreliable, and this will add to that argument."
Jobs may well have a point -- in the 11 months starting July 2009, at least six security holes were found in Adobe Flash.
"This puts further pressure on Adobe because their product is perceived as insecure and unreliable, and this makes the move to HTML5 more appealing," Enderle said.