Affected are more or less all Flash users. This includes Flash installations on Windows, Mac and Linux, the built-in Flash Player of the Google Chrome browser, Flash on Android and Flash in Adobe Reader and Acrobat.

• Flash Player 10.2.153.1 and earlier versions on Windows, Mac, Linux, Solaris
• Adobe Flash Player 10.2.154.25 and earlier for Chrome
• Adobe Flash Player 10.2.156.12 and earlier versions for Android
• Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems

Adobe confirmed reports that the vulnerability is actively exploited. The vulnerability uses embedded Flash files in Microsoft Word documents to exploit the issue. According to Adobe’s information those are delivered as email attachments and targeting the Windows platform.

Adobe Reader and Acrobat do not appear to be targeted right now. Adobe Reader X users are protected from this exploit by the program’s Protected Mode.

Adobe is currently finalizing a schedule for delivering updates for all affected versions of Flash Player except for Adobe Reader X which will receive the update on the next quarterly security update on June 14, 2011.

How can users protect their system from these kind of attacks? You should be cautious when you receive document attachments, especially if they come from unknown senders. Probably the best option in this case is to save those attachments to the computer, and open them in an online viewer such as Google Docs.

You could alternatively use a third party document viewer that does not support Flash, but the safest bet is an online viewer.

Interested users find additional information about the newly discovered Flash vulnerability at the Adobe Security Bulletin.

Adobe has confirmed reports that the vulnerability is actively exploited via swf files that are embedded in Microsoft Excel files that are delivered via email attachments. A successful exploit causes a crash of the application and could give an attacker control over the computer system.

A security fix is in the final stages of development, and Adobe estimates that it can be distributed during the next week. Computer users for now should be very cautious when they receive emails with Excel attachments, especially if the sender is unknown. It may be a good idea to open the documents online, for instance via Google Docs instead of a desktop client to block potential attacks.

Protected Mode of Adobe Reader X mitigates the issue according to Adobe, so that the security fix for that version will be delivered with the quarterly security update that is scheduled for June 14.

In short:

• All Flash Player versions 10 are affected for all supported desktop and mobile operating systems.
• All versions of Adobe Reader and Acrobat X, 10 and 9 are affected
• The vulnerability is exploited via Excel email attachments that have a Flash file embedded.
• A patch will be delivered in the next week

Additional information are available at the Security Advisory over at Adobe’s website.

The security update for Adobe Flash Player fixes several critical vulnerability in Flash Player 10.1.102.64 and earlier on Windows, Macintosh, Linux and Solaris. Successful exploits could “cause the application to crash and could potentially allow an attacker to take control of the affected system”.

The update increases the version of the application to Adobe Flash Player 10.2.152.26 on all affected systems.

The update can be downloaded directly from Adobe.

More information about the update are available on Adobe’s Security Bulletin page.

Adobe Reader, Acrobat

Critical vulnerabilities have also been identified in Adobe Reader and Acrobat. Affected versions include Adobe Reader X, Adobe Reader 9.4.1 for Windows, Macintosh and Unix, and Adobe Acrobat X and earlier for Windows and Macintosh. Please note that the update incorporates the Adobe Flash Player update.

The vulnerabilities “could cause the application to crash and potentially allow an attacker to take control of the affected system. Risk for Adobe Reader X users is significantly lower, as none of these issues bypass Protected Mode mitigations”.

Updates are available to increase the version of Adobe Reader X to 10.0.1, Adobe Reader 9.4.1 to 9.4.2 and Adobe Acrobat X to 10.0.1.

Download links for all affected applications are posted on the security bulletin page over at Adobe.

To make matters worse, a new vulnerability has been confirmed by Adobe affecting Adobe Reader 9.2 or later and Adobe Reader 8.1.7 or later. A “proof-of-concept file demonstrating a Denial of Service was published” already that crashes the pdf reader. The exploit does not demonstrate arbitrary code execution, but Adobe is not eliminating the possibility at this point in time. It has to be noted that Adobe Acrobat is not affected by the security vulnerability.

The blog post of the Security and Response team offers instructions on how to protect the computer system from this vulnerability.

Adobe Reader 9.2 and later and Adobe Reader 8.1.7 and later – Windows

On Windows, the JavaScript Blacklist can be in two locations. Please review the following options and then create the registry key of your choice:

Enterprise list: This blacklist helps enterprises roll out policies that block exploitable API(s) from executing in their environment. Populating the blacklist in this location is the responsibility of the enterprise. Adobe patches never modify this registry location.
To create the registry key:
HKLM\SOFTWARE\Policies\Adobe\<product>\<version>\FeatureLockDown\cJavaScriptPerms\tBlackList

Adobe’s update/patch list: The Adobe blacklist is modified by Adobe Reader patches whenever an API is deemed vulnerable. APIs are also removed from the blacklist whenever a fix for a vulnerability is provided by the current patch.
To create the registry key:
HKLM\SOFTWARE\Adobe\<product>\<version>\JavaScriptPerms\tBlackList

On a 64 bit Windows system, the path is:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe

->To prevent this particular issue, add the following value to the registry key created in the previous step (case sensitive):
Doc.printSeps

->Exit and restart the application

Adobe Reader 9.2 and later and Adobe Reader 8.1.7 and later – Macintosh

On your Macintosh computer, go to the Applications folder or to the location where you have Adobe Reader installed.
Right-click on Adobe Reader
Click on Show Package Contents
Expand Contents
Expand MacOS
Expand Preferences
Create a backup of the FeatureLockDown file.
Right-click on FeatureLockDown.
Open With TextEdit.
Just before the last >> add the following line to the FeatureLockDown file (case sensitive):
/JavaScriptPerms [ /c << /BlackList [ /t (Doc.printSeps) ] >> ]
Save the file
Restart Adobe Reader

Adobe Reader 9.2 and later – UNIX

Go to the Global Prefs file at:
/Reader/GlobalPrefs/reader_prefs
Add the following line to the file:
/JavaScriptPerms [/c << /BlackList [/t (Doc.printSeps) ] >> ]

There you have it. Make sure you protect your version of Adobe Reader from the vulnerability by following the instructions posted above. The posting does not offer any information on the consequences of protecting the pdf reader from the vulnerability. It is also not clear if Adobe will be able to include the patch for this vulnerability in the upcoming update.

As if that was not enough, there is also a new vulnerability in Adobe Shockwave Player.

Krystian Kloskowski has discovered a vulnerability in Shockwave Player, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to a use-after-free error in an automatically installed compatibility component as a function in an unloaded library may be called.

Successful exploitation allows execution of arbitrary code, but requires that a user is tricked into opening the “Shockwave Settings” window when viewing a web page.

The vulnerability is confirmed in version 11.5.9.615. Other versions may also be affected.

The description makes it clear that systems are only vulnerable to this attack if the user opens the Shockwave Settings window on a specially prepared website.

Basically, both Flash Player and Adobe Reader / Acrobat are affected by the security vulnerability. According to Adobe’s security bulletin, the issue is actively exploited against Adobe Reader and Acrobat on Windows.

Adobe is currently working on patches and aims to release the Flash Player patch on November 9, 2010 and the Adobe Reader / Acrobat patch on November 15, 2010. That’s puzzling considering that the company has admitted that the issue is actively exploited against Adobe Reader and Acrobat.

Mitigations were posted to protect the computer system.

Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains Flash (SWF) content. The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.

No mitigating factors were offered for the Flash vulnerability. The only ones that are known to work are to either disable Adobe Flash in the browser, or to use a flash blocking script such as NoScript for Firefox.

The Register has additional information about the pdf exploit. According to their information, attackers “install a nasty trojan known as Wisp, which according to Microsoft, steals sensitive user data and installs a backdoor on compromised systems.”

With patches as far away as two weeks, it is recommended to disable authplay.dll in Adobe Reader or Acrobat, and disable or block the Flash plugin in the web browser to protect the computer system against these attacks.

The rushed state of the release indicates that the issue gets actively exploited which is confirmed in Adobe’s Security Bulletin that mentions that the issue is being actively exploited in the wild. Attackers may be able to crash the application on the computer and take control of the affected system in the process. Upgrading is the only way of protecting the computer from those vulnerabilities.

Adobe recommends users of Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.4. (For Adobe Reader users on Windows and Macintosh,
who cannot update to Adobe Reader 9.4, Adobe has provided the Adobe Reader 8.2.5 update.) Adobe recommends users of Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.4. Adobe recommends users of Adobe Acrobat 8.2.4 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.5.

This accelerated patch breaks Adobe’s quarterly patch day that is set for every second Tuesday of each quarter of the year to fall in line with Microsoft’s Patch Tuesday. Interested users can take a closer look at the Security Bulletin, or point their web browsers to Get Adobe Reader right away to download the latest version of the pdf reader. Updates are also available directly in the program (by clicking on Help > Check for Updates).

Adobe expects to make the updates “available during the week of August 16, 2010″, which does mean that millions of computer systems running either Adobe Reader or Adobe Acrobat are left vulnerable for the time being.

Adobe is planning to release updates for Adobe Reader 9.3.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.3 for Windows and Macintosh, and Adobe Reader 8.2.3 and Acrobat 8.2.3 for Windows and Macintosh to resolve critical security issues, including CVE-2010-2862 which was discussed at the Black Hat USA 2010 security conference on Wednesday, July 28, 2010. Adobe expects to make these updates available during the week of August 16, 2010

The security advisory does not reveal information about the vulnerabilities, only that one was discussed at last month’s Black Hat USA 2010 security conference, that all platforms are affected, and that Adobe Reader 9.3.3 and earlier, and Adobe Acrobat 9.3.3 and earlier are affected.

The advisory over at Secunia reveals additional details about the vulnerability discussed at the Black Hat conference. The Adobe Reader / Acrobat Font Parsing Integer Overflow Vulnerability has been rated as highly critical, the second highest possible rating.

The vulnerability is caused due to an integer overflow error in CoolType.dll when parsing the “maxCompositePoints” field value in the “maxp” (Maximum Profile) table of a TrueType font. This can be exploited to corrupt memory via a PDF file containing a specially crafted TrueType font.

Successful exploits may allow remote code execution on the targeted system.

Users with Adobe Reader or Adobe Acrobat installed may want to consider switching to another pdf reader for the time being, to protect their computer system from those vulnerabilities. Alternatives are listed on our pdf reader comparison page.

The vulnerabilities received a severity rating of highly critical, the highest possible rating, by Secunia since they were both actively exploited and would allow remote code execution on affected computer systems.

Adobe’s Response Team has updated the security vulnerability with the planned schedule for a patch to resolve the issue.

According to those information a patch for Flash Player 10 will be released on June 10 while Adobe Reader and Acrobat 9 users have to wait until June 29 for the patch.

The patches will be made available for all supported operating systems with the exception of Flash Player for Solaris.

The delay until the page becomes available is bad news for Adobe Reader and Acrobat users who have to find ways to protect their systems from the security vulnerability in the meantime.

Adobe is offering mitigation instructions on their website for Windows, Unix and Macintosh.

Adobe Reader and Acrobat – Windows

Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader 9.x and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.

The authplay.dll that ships with Adobe Reader 9.x and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.

Adobe Reader 9.x – Macintosh

1) Go to the Applications->Adobe Reader 9 folder.
2) Right Click on Adobe Reader
3) Select Show Package Contents
4) Go to the Contents->Frameworks folder
5) Delete or move the AuthPlayLib.bundle file

Acrobat Pro 9.x – Macintosh

1) Go to the Applications->Adobe Acrobat 9 Pro folder.
2) Right Click on Adobe Acrobat Pro
3) Select Show Package Contents
4) Go to the Contents->Frameworks folder
5) Delete or move the AuthPlayLib.bundle file

Adobe Reader 9.x- UNIX

1) Go to installation location of Reader (typically a folder named Adobe)
2) Within it browse to Reader9/Reader/intellinux/lib/ (for Linux) or Reader9/Reader/intelsolaris/lib/ (for Solaris)
3) Remove the library named “libauthplay.so.0.0.0″

It is recommended to either perform the operations on affected computer systems or switch to another pdf reader at least for the time until the vulnerability gets fixed.

Highly critical is a rating for “remotely exploitable vulnerabilities that can lead to system compromise” that usually do not “require any interaction” and where exploits are already in the wild.

The Adobe Flash vulnerability that has been reported is affecting Adobe Flash Player 10.x and Adobe Flash Player 9.x.

A vulnerability has been reported in Adobe Flash Player, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an unspecified error. No more information is currently available.

Successful exploitation allows execution of arbitrary code.

The vulnerability is reported in version 10.0.45.2 and prior 10.0.x and 9.0.x versions for Windows, Macintosh, Linux, and Solaris.

NOTE: The vulnerability is reportedly being actively exploited.

The release candidate of the upcoming Adobe Flash Player 10.1 does not seem to be affected by the vulnerability according to the information at the Secunia website.

Users who want to protect their computer system from being exploited by the vulnerability can either disable Adobe Flash for the time being or update to the Adobe Flash Player 10.1 Release Candidate. Additional information about the vulnerability are posted in a Security Bulletin at the Adobe website.

The Adobe Reader and Adobe Acrobat vulnerability might be related to the Adobe Flash vulnerability. The Secunia Advisory lists Adobe Reader 9 versions for Windows, Macintosh and Linux as affected by the vulnerability.

The vulnerability is caused due to a vulnerable bundled version of Flash Player (authplay.dll).Successful exploitation allows execution of arbitrary code.

The vulnerability is reported in version 9.3.2 and earlier 9.x versions for Windows, Macintosh, and UNIX.

NOTE: The vulnerability is currently being actively exploited.

The temporary solution to protect the computer system from the exploits is to delete, rename or remove access to autoplay.dll to prevent Flash content from being executed in Adobe Reader and Acrobat.

The critical vulnerabilities are affecting all operating systems that Adobe Reader is compatible with (Microsoft Windows, Apple Macintosh and Unix based) and versions of Adobe Reader 9.3.1 and Adobe Acrobat 9.3.1 or earlier.

The critical nature of the vulnerabilities requires immediate attention from users who have affected software versions installed on their computer systems.

Adobe is offering the update through various channels. It is possible to check for updates from within the pdf readers by clicking on Help > Check for updates or to download the updates from the official Adobe website.

Adobe Reader users on Windows can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.

Adobe Reader users on Macintosh can also find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.

Adobe Reader users on UNIX can find the appropriate update here:
ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/9.3.2/.

The update is still separated from the full version of Adobe Reader that is offered on the Adobe homepage. There is still no full version of Adobe Reader 9.3.2 available on the Adobe homepage which still offers Adobe Reader 9.3.0 to visitors.

Users who want to find out more about the security vulnerabilities can check out the security bulletin that contains detailed information about the vulnerabilities that are closed with the new release.

Today a critical vulnerability was disclosed that is affecting all Adobe Reader 9.3 and earlier and Adobe Acrobat 9.3 and earlier versions on Windows and Macintosh. The Adobe Reader 9.3 or earlier Unix versions are also vulnerable.

As described in Security Bulletin APSB10-06, this vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests. In addition, a critical vulnerability (CVE-2010-0188) has been identified that could cause the application to crash and could potentially allow an attacker to take control of the affected system.

In addition, a critical vulnerability (CVE-2010-0188) has been identified that could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe has reacted promptly this time as updates for Adobe Reader and Acrobat are already available for download and installation. It is suggested to download the new releases as soon as possible to protect the computer system from the security vulnerability.

The security bulletin posted at the Adobe website contains download links for all supported operating systems.

• Microsoft Security Bulletin MS10-001 – Critical Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270) – This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user viewed content rendered in a specially crafted Embedded OpenType (EOT) font in client applications that can render EOT fonts, such as Microsoft Internet Explorer, Microsoft Office PowerPoint, or Microsoft Office Word. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

  This security update is rated Critical for Microsoft Windows 2000, and is rated Low for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Adobe has released security updates for Adobe Reader and Adobe Acrobat which patch critical vulnerability in Adobe Reader 9.2 and Adobe Acrobat 9.2 for Windows, Macintosh and Unix as well as Adobe Reader 8.1.7 and Acrobat 8.1.7 for Windows and Macintosh.

• These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system. Adobe recommends users of Adobe Reader 9.2 and Acrobat 9.2 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3 and Acrobat 9.3. Adobe recommends users of Acrobat 8.1.7 and earlier versions for Windows and Macintosh update to Acrobat 8.2. For Adobe Reader users on Windows and Macintosh who cannot update to Adobe Reader 9.3, Adobe has provided the Adobe Reader 8.2 update. Updates apply to all platforms: Windows, Macintosh and UNIX.

Adobe itself did not reveal details about the exploit in the blog post but a post at the Shadowserver website which is run by security volunteers from around the world. According to information posted on their website the exploit has been in the wild since at least December 11. The number of attacks have been limited and targeted so far according to their information. They do expect the “exploit to become more wide spread in the next few weeks” with the potential to become fully public in the same timeframe.

The security researchers did not want to reveal all the information about the vulnerability but mentioned that it was found in the JavaScript function in Adobe Acrobat and Adobe Reader.

With that said we can tell you that this vulnerability is actually in a JavaScript function within Adobe Acrobat [Reader] itself. Furthermore the vulnerable JavaScript is obfuscated inside a zlib stream making universal detection and intrusion detection signatures much more difficult. On the bright side though, there are some solutions to this problem.

A temporary fix was also published on the same website.

We have said it before and we will say it again: Disable JavaScript.

Disabling JavaScript is easy. This is how it can be done in Acrobat Reader:
Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript

We have not had time to fully test but enabling hardware DEP for systems that support it may also mitigate this issue.

Adobe users are encouraged to disable JavaScript as soon as possible to block their version of the program from being vulnerable.

Windows Vista and Windows 7 who have DEP enabled (that’s Data Execution Prevention) are protected from the exploit. Users who work with different operating systems are encouraged to disable JavaScript to protect against the specific known exploit. Adobe mentions that it is on the other hand possible to create an exploit that does not rely on JavaScript.

Adobe plans to resolve this issue as part of the upcoming Adobe Reader and Acrobat quarterly security update, scheduled for release on October 13. Adobe Reader and Acrobat 9.1.3 customers with DEP enabled on Windows Vista will be protected from this exploit. Disabling JavaScript also mitigates against this specific exploit, although a variant that does not rely on JavaScript could be possible. In the meantime, Adobe is also in contact with Antivirus and Security vendors regarding the issue and recommends users keep their anti-virus definitions up to date.

Probably the best protection at this point is to uninstall Adobe Reader and Adobe Acrobat and install a third party pdf viewer like Foxit Reader, muPDF or STDU Viewer. Additional information are available at the Adobe website.

Update: New versions of Adobe Reader and Adobe Acrobat have been released by Adobe Software. The new versions are available for download at Adobe, or via the program’s internal update mechanism. Users who upgrade to the latest version are no longer vulnerable to this particular exploit.

The security updates are provided for Adobe Reader and Adobe Acrobat software products running on both Microsoft Windows and Apple Macintosh operating systems. The security bulletin that was issued yesterday contains links that point to downloads for all affected programs and operating systems.

The affected programs are:

• Adobe Reader 9.1.1 and earlier versions
• Adobe Acrobat Standard, Pro, and Pro Extended 9.1.1 and earlier versions

Adobe recommends users of Adobe Reader and Acrobat update their product installations to versions 9.1.2, 8.1.6, or 7.1.3 using the instructions above to protect themselves from potential vulnerabilities. The above updates apply to Windows and Macintosh. Security updates for Adobe Reader on the UNIX platform will be available on June 16, 2009; this Bulletin will be updated to reflect their availability on that date.

Security conscious users might want to consider switching from Adobe Reader to a third party application like Foxit Reader, Sumatra PDF or PDF-Xchange Viewer.

Most users probably do not mind the regular automatic update checks but some might prefer to update Adobe software products manually. This is important in business environments where patches are extensively tested before applied to client machines.

It is actually not a big problem to disable Adobe Updater if an Internet connection is available. All that needs to be done is to execute the Adobe_Updater.exe file that is located in the Program Files\Common Files\Adobe\Updater6 directory on the hard drive. The application will perform an update check and notify the user about updates. The updates won’t be installed however until the user clicks on the Download And Install Updates button.

A click on Preferences will load the configuration screen shown in the above screenshot. Unchecking the “Automatically check for Adobe updates” box will do the trick. Mac OSX users can basically do the same. The location of the Adobe Updater program on their system is /Applications/Utilities/Adobe Utilities/Adobe Updater5/.

Update: Adobe Updater is available as a separate download from the Adobe website. The program has not been updated since 2009, which may indicate that the program is either no longer used by Adobe, or integrated into their software programs by default to make external installations unnecessary.

The updater, according to the product page, fixes “networking problems, “speed and cpu problems”, “stability problems” and some Internet Explorer related issues.

The program available for download is only compatible with Adobe Creative Suite 4 software or Creative Suite 4 components. Other Adobe products that are not part of the Suite are not supported.

Adobe Reader 9 and Acrobat 9 as well as Adobe Reader 7.1.0 and Acrobat 7.1.0 are not affected by the security vulnerability. The vulnerability causes the applications to crash which can allow an attacker to take control of the host system.

Downloads are available that fix the security vulnerability in Adobe Reader 8 for Windows and Macintosh computers. Take a look at the security bulletin issued by Adobe if you are using Adobe Acrobat or a previous version of one of the products to find the links pointing to updates for your product.