Basically, both Flash Player and Adobe Reader / Acrobat are affected by the security vulnerability. According to Adobe’s security bulletin, the issue is actively exploited against Adobe Reader and Acrobat on Windows.

Adobe is currently working on patches and aims to release the Flash Player patch on November 9, 2010 and the Adobe Reader / Acrobat patch on November 15, 2010. That’s puzzling considering that the company has admitted that the issue is actively exploited against Adobe Reader and Acrobat.

Mitigations were posted to protect the computer system.

Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains Flash (SWF) content. The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.

No mitigating factors were offered for the Flash vulnerability. The only ones that are known to work are to either disable Adobe Flash in the browser, or to use a flash blocking script such as NoScript for Firefox.

The Register has additional information about the pdf exploit. According to their information, attackers “install a nasty trojan known as Wisp, which according to Microsoft, steals sensitive user data and installs a backdoor on compromised systems.”

With patches as far away as two weeks, it is recommended to disable authplay.dll in Adobe Reader or Acrobat, and disable or block the Flash plugin in the web browser to protect the computer system against these attacks.

Adobe expects to make the updates “available during the week of August 16, 2010″, which does mean that millions of computer systems running either Adobe Reader or Adobe Acrobat are left vulnerable for the time being.

Adobe is planning to release updates for Adobe Reader 9.3.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3.3 for Windows and Macintosh, and Adobe Reader 8.2.3 and Acrobat 8.2.3 for Windows and Macintosh to resolve critical security issues, including CVE-2010-2862 which was discussed at the Black Hat USA 2010 security conference on Wednesday, July 28, 2010. Adobe expects to make these updates available during the week of August 16, 2010

The security advisory does not reveal information about the vulnerabilities, only that one was discussed at last month’s Black Hat USA 2010 security conference, that all platforms are affected, and that Adobe Reader 9.3.3 and earlier, and Adobe Acrobat 9.3.3 and earlier are affected.

The advisory over at Secunia reveals additional details about the vulnerability discussed at the Black Hat conference. The Adobe Reader / Acrobat Font Parsing Integer Overflow Vulnerability has been rated as highly critical, the second highest possible rating.

The vulnerability is caused due to an integer overflow error in CoolType.dll when parsing the “maxCompositePoints” field value in the “maxp” (Maximum Profile) table of a TrueType font. This can be exploited to corrupt memory via a PDF file containing a specially crafted TrueType font.

Successful exploits may allow remote code execution on the targeted system.

Users with Adobe Reader or Adobe Acrobat installed may want to consider switching to another pdf reader for the time being, to protect their computer system from those vulnerabilities. Alternatives are listed on our pdf reader comparison page.

The security bulletin sheds some light on the security issues that have been fixed in the release. A total of 17 different vulnerabilities have been fixed in Adobe Reader 9.3.3. Adobe has categorized the update as critical and recommends that users apply the latest updates immediately to protect their computer systems.

Exploits of any security vulnerability that has been patched in the update can lead to code execution on the affected system.

Adobe confirmed that at least one of the security vulnerabilities is actively exploited in the wild.

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1297).
Note: There are reports that this issue is being actively exploited in the wild.

This update mitigates a social engineering attack that could lead to code execution (CVE-2010-1240).

This update resolves an invalid pointer vulnerability that could lead to code execution (CVE-2010-1285).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1295).

This update resolves an invalid pointer vulnerability that could lead to code execution (CVE-2010-2168).

This update resolves an invalid pointer vulnerability that could lead to code execution (CVE-2010-2201).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2202).

This update resolves a UNIX-only memory corruption vulnerability that could lead to code execution (CVE-2010-2203).

This update resolves a denial of service vulnerability; arbitrary code execution has not been demonstrated, but may be possible (CVE-2010-2204).

This update resolves an uninitialized memory vulnerability that could lead to code execution (CVE-2010-2205).

This update resolves an array-indexing error vulnerability that could lead to code execution (CVE-2010-2206).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2207).

This update resolves a dereference deleted heap object vulnerability that could lead to code execution (CVE-2010-2208).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2209).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2210).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2211).

This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2212).

Adobe Reader 9.3.3 and Acrobat 9.3.3 are available for download at the Adobe website. Also available are Adobe Reader 8.2.3 and Adobe Acrobat 8.2.3 which both fix the security issues as well.

Highly critical is a rating for “remotely exploitable vulnerabilities that can lead to system compromise” that usually do not “require any interaction” and where exploits are already in the wild.

The Adobe Flash vulnerability that has been reported is affecting Adobe Flash Player 10.x and Adobe Flash Player 9.x.

A vulnerability has been reported in Adobe Flash Player, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an unspecified error. No more information is currently available.

Successful exploitation allows execution of arbitrary code.

The vulnerability is reported in version 10.0.45.2 and prior 10.0.x and 9.0.x versions for Windows, Macintosh, Linux, and Solaris.

NOTE: The vulnerability is reportedly being actively exploited.

The release candidate of the upcoming Adobe Flash Player 10.1 does not seem to be affected by the vulnerability according to the information at the Secunia website.

Users who want to protect their computer system from being exploited by the vulnerability can either disable Adobe Flash for the time being or update to the Adobe Flash Player 10.1 Release Candidate. Additional information about the vulnerability are posted in a Security Bulletin at the Adobe website.

The Adobe Reader and Adobe Acrobat vulnerability might be related to the Adobe Flash vulnerability. The Secunia Advisory lists Adobe Reader 9 versions for Windows, Macintosh and Linux as affected by the vulnerability.

The vulnerability is caused due to a vulnerable bundled version of Flash Player (authplay.dll).Successful exploitation allows execution of arbitrary code.

The vulnerability is reported in version 9.3.2 and earlier 9.x versions for Windows, Macintosh, and UNIX.

NOTE: The vulnerability is currently being actively exploited.

The temporary solution to protect the computer system from the exploits is to delete, rename or remove access to autoplay.dll to prevent Flash content from being executed in Adobe Reader and Acrobat.

Today a critical vulnerability was disclosed that is affecting all Adobe Reader 9.3 and earlier and Adobe Acrobat 9.3 and earlier versions on Windows and Macintosh. The Adobe Reader 9.3 or earlier Unix versions are also vulnerable.

As described in Security Bulletin APSB10-06, this vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests. In addition, a critical vulnerability (CVE-2010-0188) has been identified that could cause the application to crash and could potentially allow an attacker to take control of the affected system.

In addition, a critical vulnerability (CVE-2010-0188) has been identified that could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe has reacted promptly this time as updates for Adobe Reader and Acrobat are already available for download and installation. It is suggested to download the new releases as soon as possible to protect the computer system from the security vulnerability.

The security bulletin posted at the Adobe website contains download links for all supported operating systems.

Windows Vista and Windows 7 who have DEP enabled (that’s Data Execution Prevention) are protected from the exploit. Users who work with different operating systems are encouraged to disable JavaScript to protect against the specific known exploit. Adobe mentions that it is on the other hand possible to create an exploit that does not rely on JavaScript.

Adobe plans to resolve this issue as part of the upcoming Adobe Reader and Acrobat quarterly security update, scheduled for release on October 13. Adobe Reader and Acrobat 9.1.3 customers with DEP enabled on Windows Vista will be protected from this exploit. Disabling JavaScript also mitigates against this specific exploit, although a variant that does not rely on JavaScript could be possible. In the meantime, Adobe is also in contact with Antivirus and Security vendors regarding the issue and recommends users keep their anti-virus definitions up to date.

Probably the best protection at this point is to uninstall Adobe Reader and Adobe Acrobat and install a third party pdf viewer like Foxit Reader, muPDF or STDU Viewer. Additional information are available at the Adobe website.

Update: New versions of Adobe Reader and Adobe Acrobat have been released by Adobe Software. The new versions are available for download at Adobe, or via the program’s internal update mechanism. Users who upgrade to the latest version are no longer vulnerable to this particular exploit.

Apple Mac and Unix systems are affected by the vulnerability as well but the exploit that is currently in the wild is only affecting Windows. Adobe suggests to enable UAC in Windows Vista (and Windows 7). Windows XP users should consider moving or deleting authplay.dll to protect their computer system from the threat against Adobe Reader and Acrobat “but users will experience a non-exploitable crash or error message when opening a PDF that contains SWF content”.

An alternative would be to uninstall Adobe Reader or Acrobat and install one of the available third party pdf readers like Foxit Reader or Sumatra.

Adobe does not offer any advise on the Flash Player vulnerability. The only viable option seems to be to disable or even uninstall Flash and wait for the patch which is expected to be released on July 30 and July 31.

The security updates are provided for Adobe Reader and Adobe Acrobat software products running on both Microsoft Windows and Apple Macintosh operating systems. The security bulletin that was issued yesterday contains links that point to downloads for all affected programs and operating systems.

The affected programs are:

• Adobe Reader 9.1.1 and earlier versions
• Adobe Acrobat Standard, Pro, and Pro Extended 9.1.1 and earlier versions

Adobe recommends users of Adobe Reader and Acrobat update their product installations to versions 9.1.2, 8.1.6, or 7.1.3 using the instructions above to protect themselves from potential vulnerabilities. The above updates apply to Windows and Macintosh. Security updates for Adobe Reader on the UNIX platform will be available on June 16, 2009; this Bulletin will be updated to reflect their availability on that date.

Security conscious users might want to consider switching from Adobe Reader to a third party application like Foxit Reader, Sumatra PDF or PDF-Xchange Viewer.

Lurene Grenier, a security researcher at Sourcefire, has published an unofficial patch for Adobe Reader 9 that is installed on a computer running the Microsoft Windows operating system. The patch comes with no guarantees and involves the replacement of a dll file in the Adobe Reader directory. Users should make sure to backup the dll before replacing it to be prepared for eventualities. Windows users with previous Adobe Reader versions will have to upgrade to Adobe Reader 9 before they can apply the patch.

There is another recommendation (by US-CERT)which is helpful for users of other operating systems or Windows users who do not like the idea of replacing a dll on the computer system:

• Disabling Javascript in Adobe Reader by going to Edit > Preferences > JavaScript and unchecking enable Acrobat JavaScript.
• Preventing IE from automatically displaying PDFs. This can be done via a Registry tweak described on the US-CERT notification.
• Disable rendering of PDFs within web pages. This can be done from the Edit-Preferences menu in Adobe Reader.

It is recommended to act swiftly to prevent that the vulnerability can get exploited on the computer system. Users of third party PDF software programs are not affected by the vulnerability.

Update: Adobe has patched all Adobe Reader products in the meantime. Users who have updated the pdf reader cannot be attacked anymore.

Adobe just mentioned that “the Adobe Reader 8.1.2 update addresses a number of customer workflow issues and security vulnerabilities while providing more stability.” Either they have forgotten to include the information in the release notes or they did not want to publish them officially.

It does not really matter for us end users anyway. If you use Adobe Reader head out now and download the latest version of Adobe Reader to be on the safe side.