--
Question: What is the point of 'in band' quarterly Adobe security updates when this stuff keeps repeating month after month after month?
SHORT VERSION:
Don't use Adobe Reader, Adobe Acrobat, or Adobe Flash until yet-another-nother set of 'out-of-band' security updates are available. Each of these applications have NEW security holes that are being exploited IN THE WILD.
[...Hysterical laughter is heard from some distant room...]
Temporary fix options:
A) PDF Viewing
Use Preview, provided with Mac OS X, for all PDF file reading.
Delete the Adobe PDF Viewer Internet plug-in. You will find it here:
/Library/Internet Plug-ins/AdobePDFViewer.pluginDelete Adobe Reader 9. You will find it here:
/Library/Applications/Adobe Reader 9B) Flash Playing
Control Flash in your web browser and/or delete Flash Player:
There are several options for taking control of Flash in your web browser. I personally use ClickToFlash for Safari and other WebKit browsers, as well as Flashblock for FireFox.
OR
Just delete Adobe Flash Player from your computer.
How to remove Adobe Flash Player:
Check to see if you have the 'uninstall_flash_player_osx.dmg' file and run it. It should be located here:
/Applications/Adobe Flash Player/uninstall_flash_player_osx.dmgOR
You can find and remove the Flash web plug-in files here:
/Library/Internet Plug-Ins/Flash Player.pluginAfter deleting Adobe Flash Player files, be sure to Quit then restart your web browsers in order to clean Flash Player out of memory.
/Library/Internet Plug-ins/flashplayer.xpt
~~~~~~~~~~~~~~
LONG VERSION:
Just when you thought your Adobe apps were safe, this dark sense of wariness creeps into your subconsciousness followed by a sense of déjà vu as you read the latest news. I'll let Adobe give you the bad news. Here are the two pages at Adobe where you can find their security announcements:
Adobe Product Security Incident Response Team (PSIRT)
Adobe Security Bulletins and Advisories
The latest Adobe bad news déjà vu déjà vu déja vu (with added emphasis mine):
I) Security Advisory for Adobe Reader and Acrobat (APSA10-02)
Release date: September 8, 2010II) Security Advisory for Adobe Flash Player (APSA 10-03)
Last updated: September 13, 2010
Vulnerability identifier: APSA10-02
CVE number: CVE-2010-2883
Platform: All
SUMMARY
A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.
We are in the process of finalizing a fix for the issue and expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010.
Please note that these Adobe Reader and Acrobat updates represent an accelerated release of the next quarterly security update originally scheduled for October 12, 2010. With this accelerated schedule, we do not plan to release any new updates for Adobe Reader and Acrobat on October 12, 2010.
AFFECTED SOFTWARE VERSIONS
Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX
Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh
MITIGATIONS
Current exploits in the wild target the Windows platform. Customers using Adobe Reader or Acrobat 9.3.4 or earlier on Windows can utilize Microsoft's Enhanced Mitigation Evaluation Toolkit (EMET) to help prevent this vulnerability from being exploited. For more information on EMET and implementing this mitigation, please refer to the Microsoft Security Research and Defense blog. Note that due to the time-sensitive nature of this issue, testing of the functional compatibility of this mitigation has been limited. Therefore, we recommend that you also test the mitigation in your environment to minimize any impact on your workflows.
SEVERITY RATING
Adobe categorizes this as a critical issue.
DETAILS
A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of public exploit code for this vulnerability.
Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.
We are in the process of finalizing a fix for the issue and expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010. These updates will also address the issue referenced in Security Advisory APSA10-03 (CVE-2010-2884).
Please note that these Adobe Reader and Acrobat updates represent an accelerated release of the next quarterly security updates originally scheduled for October 12, 2010. With this accelerated schedule, we do not plan to release any new updates for Adobe Reader and Acrobat on October 12, 2010.
Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL: http://blogs.adobe.com/psirt or by subscribing to the RSS feed here: http://blogs.adobe.com/psirt/atom.xml.
ACKNOWLEDGMENTS
Adobe would like to thank Mila Parkour of http://contagiodump.blogspot.com for working on this issue with Adobe to help protect our customers.
REVISIONS
September 13, 2010 - Updated information on the release schedule, and that the releases represent the next quarterly security update (originally scheduled for October 12, 2010).
September 10, 2010 - Added the Mitigations section with instructions for a mitigation option for Windows users.
September 8, 2010 - Advisory released.
Release date: September 13, 2010~~~~~~~~~~~
Vulnerability identifier: APSA10-03
CVE number: CVE-2010-2884
Platform: All
SUMMARY
A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.
We are in the process of finalizing a fix for the issue and expect to provide an update for Adobe Flash Player for Windows, Macintosh, Linux, Solaris, and Android operating systems during the week of September 27, 2010. We expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010.
AFFECTED SOFTWARE VERSIONS
Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android
Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX
Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh
SEVERITY RATING
Adobe categorizes this as a critical issue.
DETAILS
A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.
We are in the process of finalizing a fix for the issue and expect to provide an update for Adobe Flash Player for Windows, Macintosh, Linux, Solaris, and Android operating systems during the week of September 27, 2010. We expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010.
Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.
Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL:
http://blogs.adobe.com/psirt
or by subscribing to the RSS feed here:
http://blogs.adobe.com/psirt/atom.xml
ACKNOWLEDGMENTS
Adobe would like to thank Steven Adair of the Shadowserver Foundation for working with us on this issue with Adobe to help protect our customers.
And now for another rant:
This past week we learned that the first version of Adobe Flash Player had been released for the Google Android OS for smartphones. We also learned that it is a dreadfully buggy, slow, battery consuming POS. Now we learn, if you read through the Adobe bulletins above, that Flash for Android has a 'critical' security hole.
These two Adobe Flash problems were known over a year ago. Dr. Charlie Miller warned us that Flash is the single biggest source of pwnage security holes on the Mac OS X platform. Steve Jobs made it clear that Flash for Mac is a resource hog, verifiable by anyone with a brain (which apparently is not the case with Adobe's current CEO). It is no surprise that Flash turns out to be a resource hog, running as slow as a one-legged dog on Android.
Conclusion: It's time for Flash to die.
Then what?
Contrary to popular mythology, there is no perfect replacement for Flash. The HTML5 video spec promises to replace one niche for Flash with a totally free-forever video playing alternative. (Yes kids. The patent holders for H.264 are giving it away for everyone forever). However, actual Flash applications will be more difficult to replace. These include games, slideshows, web page embedded applications, etc.
Once upon a time we dreamed that Java would take up these roles, and perhaps it may someday. But for now, Java is considered much more difficult to program than Flash, slow to run, and Java has its own security problems. Ideally a Java app building program, as easy as Flash, will appear and will use stringent security protocols, secure memory management and decent speed along with restrained CPU access. It could happen! For all I know, such a Java app builder already exists. Please post a comment if you have related information.
In the meantime, I'm supported the death sentence for Adobe Flash.
Share and Enjoy,
:-Derek
--
Hi,
ReplyDeleteThis is great introduction of Flash security.
It is a knowledge base blog to know about Flash security policy.
thanks