June 5, 2010

Adobe Systems Inc. warned late Friday that malicious hackers are exploiting a previously unknown security hole present in current versions of its Adobe Reader, Acrobat and Flash Player software.

“There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player and Adobe Reader and Acrobat,” the company said in a brief blog post published Friday evening. “This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system.”

Adobe said the vulnerability exists in Flash Player and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and a component (authplay.dll) of Adobe Reader and Acrobat versions 9.x for Windows, Mac and UNIX operating systems.

The company notes that the Flash Player 10.1 Release Candidate, available from this link, does not appear to be vulnerable. Adobe also said Adobe Reader and Acrobat 8.x are confirmed not vulnerable. Further, Adobe Reader and Acrobat users can mitigate the threat from this flaw by deleting, renaming or removing access to the “authplay.dll” file that ships with Reader and Acrobat (although users may still experience a non-exploitable crash or error message when opening a PDF that contains Flash content).

The vulnerable component should be located at these spots for Windows users:

Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll

Acrobat: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll

Adobe says it is working on an official patch for the problem. Stay tuned for more details.

Update, June 7, 11:25 a.m. ET: Symantec is reporting that one strain of malware exploiting this vulnerability is something it calls Trojan.Pidief.J, which is a PDF file that drops a backdoor onto the compromised computer if an affected product is installed. Clearly, this is a follow-the-bouncing-malware type of exploit: “Upon analysis of an attack, it is also observed that a malicious [Shockwave Flash] file (detected as Trojan Horse) is used in conjunction with an HTML file (detected as Downloader) to download another malware (detected as Backdoor.Trojan) from the web,” the company said. Symantec notes that while the current attacks against this flaw are targeted and limited, that will likely soon change as more criminal groups start taking advantage of the vulnerability.

Update, June 8, 12:40 p.m. ET: Adobe said today that it plans to issue a patch for the Flash vulnerability (on 10.x versions of Flash) on Thursday, June 10, for Windows, Linux and Mac. But the software maker said it doesn’t expect to ship an update for Windows, Linux and Mac versions of Adobe Reader and Acrobat until June 29. Adobe also posted steps that Mac and Linux users can take to mitigate any threat from these vulnerabilities, in an updated advisory.

35 thoughts on “Adobe Warns of Critical Flaw in Flash, Acrobat & Reader

  1. snxuev

    thanks for notice.
    will update my flash app…so i can play poker again.

  2. Al

    Question: Are threats like this usually quickly covered by the major anti-virus programs?

    1. QQ

      Once a threat has been discovered it doesn’t take long for most AVs to detect it and for it to be patched.

      However rootkits that have been installed before the AV software wont be detected often and there are other short comings.

      Usually the new malware is undetected by most/all brand names AV, and malware can be recycled to pass signature detections..exploits wont work against patched programs, 0day means adobe didn’t release a patch to fix this vulnerability yet.

      Bottom line these Adobe focused threats are pretty serious, and having Avast or other software running on your PC doesn’t mean you are protected from exploited pdfs, it might stop what ever other malware the exploit may lead to being installed but that isnt sure either.

      1. JBV

        “However rootkits that have been installed before the AV software [was updated] wont be detected often and there are other short comings.”

        That’s why it’s so important to run full computer scans frequently, whatever AV program you use. My AV scan yesterday found 4 infections that weren’t there the last time it looked.

        1. Tom

          If a full system scan found 4 four infections that weren’t there the last time a scan was run, and you generally use reasonable security precautions, that would generate a big red flag in my mind as to the possibility of false positives.

          As I have mentioned in this forum before, every single malware detection on any of my systems in the past five years have later been determined to be false positives ( by the vendors) after I first submitted the files for analysis at VirusTotal.com and then informed the vendor of a possible false positive.

          1. QQ

            When you have lots of malware on your other computer but you are aware of it all and is there for experimental reasons,then you are in good position ๐Ÿ™‚

            About the 4 infections it depends how much do you trust your knowledge whether those are malware programs you want to have for various reasons(brute force etc) or real infections which you had no idea about, if its the latter I suggest a malware forum,

            They also offer training programs for malware cleaning, if the subject interest you a lot you might want to check it out, it is very time consuming…

          2. JBV

            Interesting thought, but not great advice if it leads people to ignore virus warnings in computer scans.

            My computer security super-expert suggested running a second virus check with a different AV program to be sure that all had been detected and removed, and then changing browsers. He never suggested that there might be false positives.

    2. QQ

      You are right in some sense it is a bad advice and Ive quited giving advices I just dont bother much any more but I can share experience.

      One sure thing I can tell from experience(unite training and more…) is that the infections are never over by pressing ‘quarantine’ on an AV.

      All the malware I have seen had additional parts such as files,folders,dlls,registry entries and so on.
      I’ll search these additional items and drop them manually if it is my own machine but might use auto removal tools otherwise or both..

      If my AV detected 4 files I never knew about and after a short research they are found to be adwares or trojans it means this machine requires extensive cleaning, as the AV will not remove the entire infection and it might recreate itself on boot and so on..

      On the other hand if the AV find a couple of brute force software and a trojan creator, or possibly even MS excel or other private programs that have keylogger features yet the AV flag them as malware because they are hack tools or un-signed or w/e, in such cases there is nothing to worry about usually.

      For this reason(unless you know what you are doing – and if you do you already know this and stopped reading…) i’ll always recommend a malware forum or equally extensive clean by a person of considerable knowledge to clean anything, if you don’t have time for malware forum then format the machine to be on the safe side.

      If you find zeus infection I suggest format again don’t bother with cleaning even if you have knowledge it isnt worth risking safety and sinking time for a couple of games or the usual stuff on a private computer.

    3. InfoSec Pro

      Detection by commercial A/V packages is unreliable at best. Statistics show that they miss more than they hit. Reason is that they use a flawed signature based approach for their primary detection mechanism, and the signatures are easily defeated by polymorphism. Even a minor change like adding one single NOP to the NOP sled smashing the stack will change the sig and avoid detection. Most malware is obfuscated by packing with some XOR value (remember the old ROT-13 trick?) to avoid detection, again just change the value used to obfuscate (eg, replace ROT13 with ROT47).

      Signature based antivirus is a broken technology, don’t trust your security to it!

      1. QQ

        One thing that works for the AV solutions is that most of the malware is recycled by encryption or byte adding etc..

        And once they add heuristics for that infection the detection rate increase.

        AV software tend to give itself high privileges on the system ,it monitors OS files and ‘sits’ in places that will prevent malware from fully functioning.

        Without going into details, it is suffice to say it is much better to have AV installed and running with updates, It might not save you from 0day fresh malware but it might prevent parts of it from running and the infection will be less severe and on top it blocks considerable amount of the on-the-wild malware decent best rated AV will block on average around 80-90% of random malware. It is like a chain mail or bullet vest, not immune but much better survival rates.

  3. Jan

    Did not find authplay.dll on my computer. Maybe because it’s not running Windows. ๐Ÿ™‚
    More details from Adobe would be welcome.

    1. jerry

      From here: http://www.adobe.com/support/security/advisories/apsa10-01.html

      Adobe Reader 9.x – Macintosh

      1) Go to the Applications->Adobe Reader 9 folder.
      2) Right Click on Adobe Reader
      3) Select Show Package Contents
      4) Go to the Contents->Frameworks folder
      5) Delete or move the AuthPlayLib.bundle file

      Acrobat Pro 9.x – Macintosh

      1) Go to the Applications->Adobe Acrobat 9 Pro folder.
      2) Right Click on Adobe Acrobat Pro
      3) Select Show Package Contents
      4) Go to the Contents->Frameworks folder
      5) Delete or move the AuthPlayLib.bundle file

      Adobe Reader 9.x- UNIX
      1) Go to installation location of Reader (typically a folder named Adobe)
      2) Within it browse to Reader9/Reader/intellinux/lib/ (for Linux) or Reader9/Reader/intelsolaris/lib/ (for Solaris)
      3) Remove the library named “libauthplay.so.0.0.0”

    1. Moike

      > report almost identical to this one came out in July of last year.

      Thanks for catching that one. It is advisable to delete /rename authplay.dll even after the fix comes out.
      1.) There is a high likelihood of a future regression.
      2.) Who needs to read a PDF document containing flash anyway?

  4. Rick

    ‘C:\Program Files\…’

    You really gotta love the way MSFT to this day put all apps in the same frigging directory. They still don’t have a clue.

  5. asmilwho

    Remind me again of why those comments Steve Jobs made about Flash were so outrageous

    1. Gary

      Because Steve Jobs was tarring the Flash compiler with the same brush as the Flash runtime. Adobe offered up functionality so that apps built on Flash could be directly converted to AppStore apps, using the official Apple APIs. So Jobs changed the rules so that those wouldn’t be allowed in the app store because he didn’t like the source language they were written in.

  6. Dustin

    How is putting apps in the Program Files directory anything to do with the article?
    Also why is it a problem, would you rather have a root drive with 60+ directories?
    That seems a little disorganized… explain Rick.

    1. prairie_sailor

      Besides organization, putting installed programs into a single folder makes it easier for OS level security permissions to be applied. By default non-admins can’t write (but they can read and exceute)to “Program Files” – by not being able to write to that folder Viruses can’t attach to progams there without exploiting a flaw. Now if only there were a concerted effort to teach even home users to use non-admin accounts…..

  7. AlphaCentauri

    Ironically, I had to reload this page three times to read the comments. Whether because the advertising feed sites are slow or because my Noscript is blocking their flash content from playing, I don’t know.

    1. Demenynx

      It works well on my computer with NoScript completely blocking everything. Just the JS comment rating stuff does not work.

    2. d

      It took two times for the page to load for me, and I’m on Mac using Safari.

  8. CloudLiam

    Wouldn’t it be easier to change permission for Flash in reader to “Never” rather than deleting or altering the dll?

    [Edit/Preferences/Multimedia Trust(legacy)]

    1. CloudLiam

      Sorry, just read the article TheGeezer linked to. Apparently my solution is inadequate to the task according to Adobe.

  9. Gannon

    I know money makes some people’s world go ’round, but how many times do we have to hear the words “critical flaw” in relation to Commercial Software.

    If you read BK’s old (2004) unclassified report from the NSA you would know that “Big Brother” won’t use the “Industry Standard” software either.

    The Google/Facebook axis of “do no evil” grants no expectation of privacy to Big Brother too. This may be one of those rare cases when Big Brother has no right to exist, but must exercise a right to self-defense.

  10. allspacealiensmustperish

    Proprietary software, by it’s very nature, is closed because it is always hiding something – intentional backdoors later called out and patched as routine security updates.

    If you’re using a proprietary Operating System, the result is the same.

  11. Daniel Snyder

    This doesn’t come as a major surprise. I do wonder what it’s like in adobe’s offices when they discover something like this. I wonder how much coffee they’re brewing.

  12. Russ

    If you can, it isn’t a bad idea to get away from Adobe’s software. Flash player is your only option for such, but for PDF there are some good choices out there. Most people recommend Foxit, but I’m a big fan of Sumatra PDF. Its refreshingly lightweight and responsive. Neither can match 100% features of Adobe’s app but for many they should be more than sufficient.

  13. Jonathan Dale

    When I first heard about this announcement, I thought about the IT staff and where their minds are. I remember working on the support desk year and years ago when a Cisco announcement came out and the fire drill it was to upgrade hardware.

    I wrote about it more today and the new technology that helps IT understand which devices are impacted in just seconds.

  14. Moonlight Gambler

    I don’t know about Mr Jobs, but for me this is why I don’t like Adobe products.

    Bring on HTML5 and a Flash free world.

  15. Peter

    I have been reading that Adobe will release a Flash patch today (June 10). I am wondering if the fix is a rushed release of 10.1 which was at RC7 just 2 days ago or if it truly a patch? Does anyone have any insight? Does anyone have any information on the stability of the RC for Flash 10.1?

  16. Chris

    Does anyone know what the coresponding registry keys would be for the multimedia(legacy) preferences? I was just reading today about a secuitygroup called Abysssec who are putting out what they are calling their “Month of Abysssec Undisclosed bugs” or MOAUB. The first exploit they released yesterday is a for adobe reader 9.3.2 or lower and once again the culprit is the authplay.dll responsible for processing flash contents in PDF files. You can find the information here: http://www.abysssec.com/blog/2010/09/moaub-1/

Comments are closed.