Adobe Releases Security Advisory for Flash Player, Reader, and Acrobat

Adobe has released a security advisory to alert users of a vulnerability affecting the following products:

  • Adobe Flash Player and earlier versions for Windows, Macintosh, Linux, and Solaris
  • Adobe Flash Player and earlier versions for Google Chrome users
  • Adobe Flash Player and earlier versions for Android
  • The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh.
Exploitation of this vulnerability may allow an attacker to execute arbitrary code or cause a denial-of-service condition. At this time, the vendor has not released a fix for this vulnerability. The Adobe advisory indicates that this vulnerability is being actively exploited via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment.

Adobe has indicated that it expects to release a fix for this vulnerability during the week of March 21, 2011. In the interim, users and administrators are encouraged to implement the following workarounds to help reduce the risks.
  • Disable Flash in the web browser as described in the Securing Your Web Browser document.
  • Disable Flash and 3D & Multimedia support in Adobe Reader 9 and later.
  • Disable JavaScript in Adobe Reader and Acrobat.
  • Prevent Internet Explorer from automatically opening PDF documents.
  • Disable the displaying of PDF documents in the web browser.
  • Enable DEP in Microsoft Windows.
  • Utilize Microsoft EMET to enable runtime mitgations for Microsoft Internet Explorer and Excel.
Additional information regarding this vulnerability, including detailed workaround instructions, can be found in US-CERT Vulnerability Note VU#192052. US-CERT will provide additional information as it becomes available.

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No