Vulnerable Versions of Flash, Adobe Reader, Adobe Acrobat, Adobe AIR Being Exploited
On April 11, 2011, Adobe released an advisory reporting that a new vulnerability in Flash, Acrobat, Adobe Reader, and AIR is being actively exploited in the wild. Adobe released a patch for Flash and AIR on April 15, 2011. A patch for some affected version of Adobe Acrobat and Adobe Reader was released April 21, 2011.
This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system. There are reports this vulnerability is being actively exploited in the wild against Adobe Flash Player, Adobe Reader, and Acrobat. In addition to their native file formats, malicious code is being distributed in flash files embedded in Microsoft Word and Microsoft Excel files via email.
- Adobe Flash Player 10.2.153.1 and earlier version for Windows, Macintosh, Linux, and Solaris
- Adobe Flash Player 10.2.154.25 and earlier version for Chrome users
- Adobe Flash Player 10.2.156.12 and earlier version for Android
- Adobe AIR 2.6.19120 and earlier versions for Windows, Macintosh, and Linux
- Adobe Reader X (10.0.1) and earlier versions for Windows
- Adobe Reader X (10.0.2) and earlier versions for Macintosh
- Adobe Acrobat X (10.0.2) and earlier versions for Windows and Macintosh
The University Information Security Office (UISO) has not observed active exploitation of this vulnerability on any university systems, but is aware that the vulnerability is currently being exploited on the Internet at large.
Over 90% of University computers have Adobe Flash installed. Some even have Macromedia Flash players earlier than version 8.x installed. There are many previous vulnerabilities in Flash, and it is critically important that Flash be kept up to date.
Patching Affected Applications
UISO recommends users apply patches to the affected applications immediately.
Adobe Flash updates are available from the Adobe Flash Player Download Center. If you use both Internet Explorer and non-IE browsers, you’ll need to apply this update at least twice, once by visiting the Flash Player installation page with IE and then again with Firefox, Opera or Safari. The version of Flash installed can be verified using the About Flash Player page.
Google Chrome users can update Chrome to version 10.0.648.205 or later.
Adobe plans to make an update available for Adobe Flash on Android the week of the 25th.
Adobe Reader users can utilize the built-in update functionality by clicking on Help->Check for Updates within the application. For Windows users of Adobe Reader X enabling protected mode is the only mitigation available until a patch scheduled for June 14, 2011. For manual updates please utilize the following links:
- Adobe Reader 9.x for Windows
- Adobe Reader 10.x for Windows should use protected mode. A patch will be available June 14, 2011.
- Adobe Reader 10.x and 9.x for Macintosh
- Adobe Acrobat Standard and Pro 10.x and 9.x for Windows
- Adobe Acrobat Extended 9.x for Windows
- Adobe Acrobat Pro for Macintosh
Day-to-day work on computer systems should be done as a non-privileged user without Administrator privileges. This will limit the damage caused by this type of attack, and possibly prevent a system from being taken over completely. Please see our page on using a less privileged account.
Users, especially Local Service Providers (LSP's), should follow security advisories from vendors whose products are being used. The UISO has links to most major vendors' security advisories here. All Adobe security advisories can be found here. Users are encouraged to install Secunia PSI to detect out-of-date and vulnerable software packages.