 VikingBob
Premium Member
join:2004-06-05
Ste Anne, MB
kudos:1 ·MTS
|
APSA10-05 - Adobe Security Advisory» www.adobe.com/support/se ··· -05.htmlSecurity Advisory for Adobe Flash Player, Adobe Reader and Acrobat
Release date: October 28, 2010
Vulnerability identifier: APSA10-05
CVE number: CVE-2010-3654
Platform: All Platforms
Summary: A critical vulnerability exists in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX operating systems, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh operating systems.
This vulnerability (CVE-2010-3654) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat 9.x. Adobe is not currently aware of attacks targeting Adobe Flash Player.
We are in the process of finalizing a fix for the issue and expect to provide an update for Flash Player 10.x for Windows, Macintosh, Linux, and Android by November 9, 2010. We expect to make available an update for Adobe Reader and Acrobat 9.4 and earlier 9.x versions during the week of November 15, 2010.
Affected software versionsAdobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
Adobe Flash Player 10.1.95.2 and earlier for Android
Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX*
Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh*
*Note: Adobe Reader and Acrobat 8.x are confirmed not vulnerable. Adobe Reader for Android is not affected by this issue.
Mitigations: Adobe Reader and Acrobat 9.x - Windows
Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains Flash (SWF) content.
The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.
Adobe Reader 9.x - Macintosh
1) Go to the Applications->Adobe Reader 9 folder.
2) Right Click on Adobe Reader.
3) Select Show Package Contents.
4) Go to the Contents->Frameworks folder.
5) Delete or move the AuthPlayLib.bundle file.
Acrobat Pro 9.x - Macintosh
1) Go to the Applications->Adobe Acrobat 9 Pro folder.
2) Right Click on Adobe Acrobat Pro.
3) Select Show Package Contents.
4) Go to the Contents->Frameworks folder.
5) Delete or move the AuthPlayLib.bundle file.
Adobe Reader 9.x - UNIX
1) Go to installation location of Reader (typically a folder named Adobe).
2) Within it browse to Reader9/Reader/intellinux/lib/ (for Linux) or Reader9/Reader/intelsolaris/lib/ (for Solaris).
3) Remove the library named "libauthplay.so.0.0.0."
Severity rating: Adobe categorizes this as a critical issue.
Details: A critical vulnerability exists in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX operating systems, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh operating systems.
This vulnerability (CVE-2010-3654) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat 9.x. Adobe is not currently aware of attacks targeting Adobe Flash Player.
Note: Adobe Reader and Acrobat 8.x are confirmed not vulnerable. Mitigation is available for Adobe Reader and Acrobat 9.x customers as detailed above. Adobe Reader for Android is not affected by this issue.
We are in the process of finalizing a fix for the issue and expect to provide an update for Adobe Flash Player 10.x for Windows, Macintosh, Linux and Android by November 9, 2010. We expect to make available an update for Adobe Reader and Acrobat 9.4 and earlier 9.x versions during the week of November 15, 2010.
Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL: »blogs.adobe.com/psirt or by subscribing to the RSS feed here: »blogs.adobe.com/psirt/atom.xml.
Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date. |
|
 chachazz
Premium Member
join:2003-12-14
kudos:10 |
chachazz
Premium Member
2010-Oct-28 4:36 pm
Thanks VikingBob ; It's never-ending with Adobe...  |
|
 trparkyAndroid... get back here
MVM
join:2000-05-24
Cleveland, OH
kudos:4 |
I'm getting tired of this.
Slashdot is covering this bug too and they said that we won't be getting a patch for this until two weeks from now.
UNACCEPTABLE! SIMPLY UNACCEPTABLE! |
|
 geierrComputer Nut
Premium Member
join:2001-07-07
Yakima, WA |
geierr
Premium Member
2010-Oct-28 9:45 pm
I concur with that! |
|
trparkyAndroid... get back here
MVM
join:2000-05-24
Cleveland, OH
kudos:4  ·AT&T U-Verse
1 edit |
Adobe, your bug is being exploited... now. That mean you get every programmer in. I don't care if they are sleeping right now, drag them out of bed if you have to. Fix it now!
Blackhats don't wait for your patches and neither should we!
And second... Just what the hell do they have programming at Adobe? Retarded test monkeys on crack? |
|
chachazz
Premium Member
join:2003-12-14
kudos:10 ·TELUS
|
to trparky
said by trparky:I'm getting tired of this. Slashdot is covering this bug too and they said that we won't be getting a patch for this until two weeks from now. UNACCEPTABLE! SIMPLY UNACCEPTABLE! Adobe says: quote:
We are in the process of finalizing a fix for the issue and expect to provide an update for Adobe Flash Player 10.x for Windows, Macintosh, Linux and Android by November 9, 2010.
We expect to make available an update for Adobe Reader and Acrobat 9.4 and earlier 9.x versions during the week of November 15, 2010.
|
|
trparkyAndroid... get back here
MVM
join:2000-05-24
Cleveland, OH
kudos:4 |
That's not soon enough.
Exploit code is out and a trojan is using the exploit and is actively infecting machines. November 9th is too far away. Millions of people's PCs are sitting ducks. |
|
chachazz
Premium Member
join:2003-12-14
kudos:10 ·TELUS
|
to VikingBob
Last updated: November 2, 2010quote:
We are in the process of finalizing a fix for the issue and expect to provide an update for Flash Player 10.x for Windows, Macintosh, Linux and Solaris by November 4, 2010.
We expect to make available an update for Flash Player 10.x for Android by November 9, 2010.
We expect to make available an update for Adobe Reader and Acrobat 9.4 and earlier 9.x versions during the week of November 15, 2010.
|
|
 Dustyn
Premium Member
join:2003-02-26
Ontario, CAN
kudos:13 ·TekSavvy Cable
·Rogers Hi-Speed
|
to trparky
said by trparky:That's not soon enough. Exploit code is out and a trojan is using the exploit and is actively infecting machines. November 9th is too far away. Millions of people's PCs are sitting ducks. That never stopped Microsoft from waiting? You can uninstall it. When an update is available reinstall it. Asking how soon it will arrive then receiving an answer to it and replying with... "that's not soon enough!", isn't going to bring the fix any closer to fruition. |
|
| |
to VikingBob
Adobe: Hire some more Security programmers; I mean "a" Security programmer! |
|
BlitzenZeusBurnt Out Cynic
Premium Member
join:2000-01-13
kudos:6 |
to VikingBob
If nothing else, this screams why it's best to run as a user account for everyday activities. People running Firefox, and noscript should be ok as long as the site that hosts the file isn't already allowed. |
|
| |
to VikingBob
Indeed |
|
VikingBob
Premium Member
join:2004-06-05
Ste Anne, MB
kudos:1 |
to chachazz
Nov. 4 is here, and so far no Flash Player update for Win/Mac/Linux/Solaris... |
|
 caffeinatorComing soon to a cup near you..
Premium Member
join:2005-01-16
00000
kudos:4
3 edits |
to VikingBob
According to adobe, I currently have: You have version 10,1,85,3 installed Right now the Flash Download is this: 
Adobe Flash Player 10.1.102.64
Same old installer version
So I'm confused...is it different or not?
Adobe can't be so sloppy in webdev as to label a download one version and have it be an older version, can they?
|
|
 therube
join:2004-11-11
Randallstown, MD
·Verizon Online DSL
2 edits |
I appear to have gotten the correct version. MD5: 68686530d211c461b5364a991dd41f21 This is for the "Netscape" (ie not IE) version. EDIT: Appears that (perhaps) the IE version has not yet updated? Or at least when I downloaded "install_flash_player_ax.exe", it was still the older version. The uninstaller, Download the Adobe Flash Player uninstaller: uninstall_flash_player.exe (228 KB) (updated 11/09/2010), shows a date in the future  . |
|
caffeinatorComing soon to a cup near you..
Premium Member
join:2005-01-16
00000
kudos:4 |
Maybe they are still in the process of deploying..IDK.
I DL'd both "regular" and Ax versions and both say the old version numbers. :/ |
|
 antdudeA Ninja Ant
VIP
join:2001-03-25
United State
kudos:5
|
said by caffeinator:Maybe they are still in the process of deploying..IDK. I DL'd both "regular" and Ax versions and both say the old version numbers. :/ It's not end of day so Adobe still has a few hours left. Maybe it's not quite ready yet. :P I don't recall Adobe telling us what hour it will be released. » www.adobe.com/software/f ··· h/about/ still shows the same versions in both Mozilla's SeaMonkey v2.0.10 and IE8 for me as well.  |
|
therube
join:2004-11-11
Randallstown, MD ·Xfinity
·Verizon Online DSL
|
to caffeinator
Ax variety I just got from here & current: http://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_10_active_x.exe
MD5: b1acc692ce72994cf963c863cc547b80 What is currently being served from get.adobe.com is old: http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
|
|
caffeinatorComing soon to a cup near you..
Premium Member
join:2005-01-16
00000
kudos:4 ·CenturyLink
4 edits |
I'll be damned...that's weird. But you're right... Also, the NEW non-ax version is there too: http://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_10.exe
EDIT: Just scanned and installed 'em and it's real enough. :) 
add-remove programs info.
Thanks for the information therube !! Why Macromedia downloads would have them and the official Flash site wouldn't is beyond me. Unless it's a Enterprise releases server or something. |
|
|
| caffeinator |
to antdude
Well, seems Adobe is as confused as ever... 
Thanks to therube at least I have the new version.  |
|
antdudeA Ninja Ant
VIP
join:2001-03-25
United State
kudos:5 ·Time Warner Cable
|
said by caffeinator:Well, seems Adobe is as confused as ever... [att=1] Thanks to therube at least I have the new version. Or maybe it's a prerelease. :P I will just wait... |
|
| |
to VikingBob
My IE8 and Firefox are OK, but my Chrome browser has
10,1,103,19
Any reason? |
|
 FFH5
Premium Member
join:2002-03-03
Tavistock NJ
kudos:5 |
FFH5
Premium Member
2010-Nov-4 5:21 pm
said by AdamKertesz:My IE8 and Firefox are OK, but my Chrome browser has 10,1,103,19 Any reason? That is a later version than the patch version specifically built for Google Chrome embedded Flash player. You have version 10,1,103,19 installed |
|
 Smith6612
MVM
join:2008-02-01
North Tonawanda, NY
kudos:26 |
to caffeinator
Adobe's updated that page at least on my end. Already updated Flash. |
|
chachazz
Premium Member
join:2003-12-14
kudos:10 |
to VikingBob
November 4, 2010 - Updated with information on Security Bulletin APSB10-26.» www.adobe.com/support/se ··· -05.html |
|
antdudeA Ninja Ant
VIP
join:2001-03-25
United State
kudos:5 ·Time Warner Cable
|
to Smith6612
said by Smith6612:Adobe's updated that page at least on my end. Already updated Flash. Finally! |
|
VikingBob
Premium Member
join:2004-06-05
Ste Anne, MB
kudos:1 |
Flash update installed here - now to wait for the Flash for Android and Reader/Acrobat update... |
|
 siljalineI'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC
kudos:18
|
to VikingBob
The update advisory for Flashplayer (pardon dupes, if any) is below: » www.adobe.com/support/se ··· -26.html**beware of Google Toolbar** - Adobe DLM, Download Manager. For those using IE can always uninstall DLM once done. Fetch • » get.adobe.com/flashplayer/ |
|
caffeinatorComing soon to a cup near you..
Premium Member
join:2005-01-16
00000
kudos:4 |
DLM??
I have NEVER seen a DLM...
I've downloaded Flash directly since it was invented. |
|
BlitzenZeusBurnt Out Cynic
Premium Member
join:2000-01-13
kudos:6 |
Depending on the browser you use to download it, they might try to force you to automatically run an application through the browser, and not give you a traditional save as... dialog, not even giving you the manual install option at all. |
|
·
·
·
.
