Security Bulletins

Vulnerable Versions of Flash, Adobe Reader, Adobe Acrobat, Adobe AIR Being Exploited

Background

On April 11, 2011, Adobe released an advisory reporting that a new vulnerability in Flash, Acrobat, Adobe Reader, and AIR is being actively exploited in the wild. Adobe released a patch for Flash and AIR on April 15, 2011. A patch for some affected version of Adobe Acrobat and Adobe Reader was released April 21, 2011.

Impact

This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system. There are reports this vulnerability is being actively exploited in the wild against Adobe Flash Player, Adobe Reader, and Acrobat. In addition to their native file formats, malicious code is being distributed in flash files embedded in Microsoft Word and Microsoft Excel files via email.

Platforms Affected

  • Adobe Flash Player 10.2.153.1 and earlier version for Windows, Macintosh, Linux, and Solaris
  • Adobe Flash Player 10.2.154.25 and earlier version for Chrome users
  • Adobe Flash Player 10.2.156.12 and earlier version for Android
  • Adobe AIR 2.6.19120 and earlier versions for Windows, Macintosh, and Linux
  • Adobe Reader X (10.0.1) and earlier versions for Windows
  • Adobe Reader X (10.0.2) and earlier versions for Macintosh
  • Adobe Acrobat X (10.0.2) and earlier versions for Windows and Macintosh

Local Observations

The University Information Security Office (UISO) has not observed active exploitation of this vulnerability on any university systems, but is aware that the vulnerability is currently being exploited on the Internet at large.

Over 90% of University computers have Adobe Flash installed. Some even have Macromedia Flash players earlier than version 8.x installed. There are many previous vulnerabilities in Flash, and it is critically important that Flash be kept up to date.

UISO Recommendations

Patching Affected Applications

UISO recommends users apply patches to the affected applications immediately.

Adobe Flash

Adobe Flash updates are available from the Adobe Flash Player Download Center. If you use both Internet Explorer and non-IE browsers, you’ll need to apply this update at least twice, once by visiting the Flash Player installation page with IE and then again with Firefox, Opera or Safari. The version of Flash installed can be verified using the About Flash Player page.

Google Chrome users can update Chrome to version 10.0.648.205 or later.

Adobe plans to make an update available for Adobe Flash on Android the week of the 25th.

Adobe AIR

Adobe AIR can be downloaded from the Adobe Download Center. The version of AIR installed can be verified using instructions from the Adobe KB.

Adobe Reader

Adobe Reader users can utilize the built-in update functionality by clicking on Help->Check for Updates within the application. For Windows users of Adobe Reader X enabling protected mode is the only mitigation available until a patch scheduled for June 14, 2011. For manual updates please utilize the following links:

Adobe Acrobat

Adobe Acrobat users can utilize the built-in update functionality by clicking on Help->Check for Updates within the application. For manual updates please utilize the following links:

Best Practices

Day-to-day work on computer systems should be done as a non-privileged user without Administrator privileges. This will limit the damage caused by this type of attack, and possibly prevent a system from being taken over completely. Please see our page on using a less privileged account.

Users, especially Local Service Providers (LSP's), should follow security advisories from vendors whose products are being used. The UISO has links to most major vendors' security advisories here. All Adobe security advisories can be found here. Users are encouraged to install Secunia PSI to detect out-of-date and vulnerable software packages.

Further Reading