Adobe Warns of Flash, PDF Zero-Day Attacks

← Back to Stories (view on slashdot.org)

Adobe Warns of Flash, PDF Zero-Day Attacks

Posted by Soulskill on Saturday June 5, 2010 @03:15AM from the who-even-uses-that-stuff-anyway dept.

InfosecWarrior writes "Adobe issued an alert late Friday night to warn about zero-day attacks against an unpatched vulnerability in its Reader and Flash Player software products. The vulnerability, described as critical, affects Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux, and Solaris operating systems. It also affects the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh, and Unix operating systems."

5 of 216 comments (clear)

Min score:

Reason:

Sort:

Good thing ... by Anonymous Coward · 2010-06-05 03:17 · Score: 5, Funny

... my iPad isn't affected !
1. Re:Good thing ... by AnonymousClown · 2010-06-05 03:30 · Score: 5, Funny
  
  As long as the other platforms use Flash, you're just kinda left out in the cold.
  Pfft. There's plenty of porn on MP3 and WMV.
  
  --
  RIP America
  July 4, 1776 - September 11, 2001
Official Workaround by Mojo66 · 2010-06-05 03:49 · Score: 5, Insightful

Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.
A initially rather secure document format (PDF) has become insecure because Adobe has added a plethora of mostly useless functions like Flash, Javascript etc to it.
Re:Look at the credits for Adobe Reader. by rudy_wayne · 2010-06-05 03:54 · Score: 5, Insightful

Problems like this are common because reader and flash are ubiquitous,

No, problems like this are common because companies keep cramming more and more unnecessary crap into their software. From the article:

In the absence of a patch, Adobe recommends deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x. This will mitigate the threat but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.
Why do you need "SWF content" in a PDF file? And then there was the story from a couple months ago about the ability to embed executable commands in a PDF file, and it it isn't a flaw - it's a feature built into the PDF spec. Sloppy programming combined with more and more crap that doesn't belong, guarantees that these problems will keep showing up.
Re:Zero-day? by Alwin+Henseler · 2010-06-05 03:59 · Score: 5, Informative

Buzzword or not, "zero day" means a vulnerability that is already being exploited by the time it's published. If vulnerability is published but no exploit exists -> no zero day.
Regardless of what you think of reasons for using that "zero day" label, this is very relevant to end-users: zero day -> you're at risk, NOW. No zero day -> you're probably safe (for the time being, that is).