星期二, 4月 12, 2011

Security Alert (A11-04-01): Vulnerability in Adobe Flash Player and Adobe Reader/Acrobat

Affected Systems:
  • Adobe Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux and Solaris
  • Adobe Flash Player 10.2.154.25 and earlier for Chrome users
  • Adobe Flash Player 10.2.156.12 and earlier for Android
  • Adobe Reader X(10.0.2), Reader 9.x and earlier versions for Windows and Macintosh
  • Adobe Acrobat X(10.0.2), Acrobat 9.x and earlier versions for Windows and Macintosh
Summary:
A vulnerability is found in the Adobe Flash Player and the "authplay.dll" component that ships with Adobe Reader and Acrobat, which could cause a crash and potentially allow an attacker to take control of the system. To successfully exploit the vulnerability, a remote attacker could entice a targeted user to open a malicious website with Flash content, or a specially crafted Flash (.swf) embedded in a Microsoft Word (.doc) file or other Microsoft Office document and delivered as an email attachment.
Reports indicate that the vulnerability is being actively exploited in the wild.
Impact:
Successful exploitation could allow a remote attacker to execute arbitrary code and taking complete control of an affected system.
Recommendation:
Currently, patches for the vulnerability are still pending from the product vendor. Since the vulnerability could be exploited by simply viewing a malicious website without user interaction, as an interim measure as well as security best practices, users are reminded not to visit suspicious websites, open PDF file and Microsoft Office documents from doubtful origins, nor follow URL links from un-trusted sources or emails such as spam, and to keep the virus signature as well as detection and repair engine up-to-date.
To verify the Flash player version installed, you may visit the following URL:
  • http://www.adobe.com/products/flash/about/
We shall update you once the patches are available and on the latest development of the issue in due course.
More Information:
More information about this issue is available at:
  • http://www.adobe.com/support/security/advisories/apsa11-02.html
  • http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0611