As Adobe Contemplates Monthly Patch Cycle, Critical Vulnerability Threatens
There has been talk recently of Adobe moving towards a monthly patch release cycle, after successfully introducing a quarterly patch cycle in the middle of 2009. If it were to be introduced, it would be another big step in Adobe's improving stance on security in its products.
That isn't to say that Adobe always get it right. Late last week, Adobe issued an advisory of a critical vulnerability in Adobe Flash Player, across all supported operating systems, as well as a critical library associated with Adobe Reader and Acrobat 9.x. From Adobe's bulletin, a successful attack against the vulnerability could lead to a crash of the application and possible remote code execution ("potentially allow an attacker to take control of the affected system", in Adobe's words). While such a vulnerability is Critical, add in that it is apparently being targeted in the wild, with attacks against both Flash and pdf, and it becomes a much more serious problem.
Adobe haven't issued a date for release of the fix, but in the interim, updating to Flash Player 10.1 apparently mitigates against the Flash Player vulnerability, and removing access to the authplay.dll file will mitigate against the Adobe Reader and Acrobat issue (there is also downgrading to 8.x versions, which are listed as "confirmed not vulnerable"). What the authplay.dll library does is to allow pdf files to contain embedded Flash (SWF) content. Attempting to view a file with this embedded information after disabling the library can lead to a crash or error message, but not result in an exploitable situation for the user.
With the widespread use of Flash for advertising and interactive content on the Internet, and the use of PDF files for greater control over document formatting and display than other document formats, this is a major problem that needs to be addressed by Adobe as quickly and securely as they can.
6 June 2010
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.
Subscribe to our feed.