JPCERT-AT-2011-0007
JPCERT/CC
2011-03-22
<<< JPCERT/CC Alert 22.03.11 >>>
Vulnerability in Adobe Flash Player , Adobe Reader and Acrobat
https://www.jpcert.or.jp/at/2011/at110007.txt
I. Overview
Adobe Flash Player contains a vulnerability. As a result, a remote
attacker could execute arbitrary code by convincing a user to open
specially crafted contents. Furthermore, this vulnerablity also
affects some versions of Adobe Reader and Acrobat that contain the
Authplay.dll.
JPCERT/CC has confirmed attacks exploiting this vulnerability. Users
are recommended to update to the corrected software provided by Adobe
Systems, or apply mitigation measures.
APSB11-05
Security update available for Adobe Flash Player
http://www.adobe.com/support/security/bulletins/apsb11-05.html
APSB11-06
Security updates available for Adobe Reader and Acrobat
http://www.adobe.com/support/security/bulletins/apsb11-06.html
II. Products Affected
Affected products and versions are as follows:
- Adobe Flash Player 10.2.152.33 and earlier
- Adobe AIR 2.5.1 and earlier
The following products that contain Authplay.dll are also affected
by this vulnerability.
- Adobe Reader 9.x, Adobe Reader X(10.0.x)
- Adobe Acrobat 9.x, Adobe Acrobat X(10.0.x)
However, according to Adobe Systems, Adobe Reader X Protected Mode
mitigates the effect of this vulnerability. The corrected software of
Adobe Reader X is planned to be released with the next quarterly
security update on June 14, 2011 (USA time).
Futhermore, Adobe Reader and Acrobat 8.x are not affected by this
vulnerability.
For more information, refer to Adobe Systems' website.
III. Solution
- Adobe Flash Player
Update Adobe Flash Player to the following latest version. For more
information, refer to Adobe Systems' website.
- Adobe Flash Player 10.2.153.1
Adobe Flash Player Download Center
http://get.adobe.com/jp/flashplayer/
http://get.adobe.com/flashplayer/
The Adobe Flash Player version number installed on your PC can be
verified through the following page:
Adobe Flash Player: Version Information
http://www.adobe.com/jp/software/flash/about/
http://www.adobe.com/products/flash/about/
* Even if using browsers other than Internet Explorer, Flash Player
may be installed on Internet Explorer. Therefore, the Flash Player
for Internet Explorer should also be updated.
- Adobe AIR
Update Adobe AIR to the following latest version. For more
information, refer to Adobe Systems' website.
- Adobe AIR 2.6
Adobe AIR Download Center
http://get.adobe.com/jp/air/
http://get.adobe.com/air/
- Adobe Reader and Acrobat
Update Adobe Reader and Acrobat to the following latest version.
Corrected software of some of the products are not released, but
information for mitigating the effect is published. For more
information, refer to Adobe Systems' website.
- Adobe Reader 9.4.3 / Adobe Acrobat 9.4.3, Adobe Acrobat 10.0.2:
Apply the corrected software provided by Adobe Systems. Adobe Reader
and Acrobat will be updated by starting the products, selecting the
menu Help (H), and then clicking Check for Updates (U).
If update is not possible, download the latest Adobe Reader and
Acrobat from the following URL:
Adobe.com - New downloads
http://www.adobe.com/support/downloads/new.jsp
For more information, refer to Adobe Systems' website.
- Adobe Reader 10.0.x:
The effect of this vulnerablity is mitigated by the Protected Mode.
Therefore, confirm that the Protected Mode is enabled.
IV. References
Adobe Security Bulletins APSB11-05
Security update available for Adobe Flash Player
http://www.adobe.com/support/security/bulletins/apsb11-05.html
Adobe Security Bulletins APSB11-06
Security updates available for Adobe Reader and Acrobat
http://www.adobe.com/support/security/bulletins/apsb11-06.html
Adobe Security Bulletins APSB11-03
Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat
http://www.adobe.com/support/security/advisories/apsa11-01.html
If you have any further questions or information regarding this
alert, please contact JPCERT/CC.
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top