RSSUS DHS advises users to turn off Flash pending Adobe security fix
By Scott M. Fulton, III | Published July 23, 2009, 12:02 PM
In the wake of reports that malicious users have found a way to trick Adobe Reader 9 into triggering an exploitable crash in Adobe Flash 9 and 10, the US Dept. of Homeland Security's CERT cybersecurity team is asking users and administrators everywhere to turn off Flash video in their Web browsers.
This prompted Adobe, which has recently been seeing perhaps the onset of a deluge of security issues, to update its security advisory, now rating the exploitable issue as "critical." Adobe is not advising users to take such drastic measures as disengaging Flash in their browsers (which would make it very hard to watch YouTube). What it's suggesting instead is that users manually delete the file %ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll, which is a library that Adobe Reader and Acrobat use to trigger embedded Flash and Shockwave videos.
Doing so might cause a crash when a user tries to launch a PDF document with an embedded video, though Adobe is indicating that this particular crash may not be an exploitable one.
The nature of Adobe's recommended workaround tells you almost everything you need to know about the exploit: It's another case where a maliciously crafted handoff between two interpreters triggers a crash in the one that's supposed to receive the proverbial baton. That crash leaves behind a situation where leftover code in the handoff can be executed without privilege.
It's a problem which may have existed for several days, though Adobe's security blog indicates the company had just gotten wind of the problem on Tuesday. What might have been holding the team up is another security problem, which Adobe currently rates as "moderate:" an active exploit of the Adobe Reader installer, where certain installation files may be replaced with malicious code. While the security team is already working on a fix for that problem, a fix for this newer "critical" issue may only be available by this time next Thursday.
Go over here and download this PDF reader and you won't have many worries about Adobe Reader any more it will render any Adobe format PDF .... and it looks a lot better than Foxit Reader.
http://www.snapfiles.com...r/pdfxchangeviewer.html
Stop with the pushing Mozilla Firefox crap... Mozilla is losing their edge with the "goofy stuff" they are considering pulling lately. It was suppose to be about "choices" but how can you choose if they won't support "you ultimately." (Your chosen version of Firefox to use)
http://www.computerworld...bugs_in_older_Firefox_3
Oh and seriously I don't understand why they just didn't have folks uninstall Adobe Reader... go disable the .dll file??? Get rid of it. the only Adobe you should have to run is "Flash" and you need to be running version 10+. UAC in windows Win Vista/7 stops this exploit...you XP home users, need to get "Windows 7" installed if you can fit it into your budgets. (And run it on your existing hardware)
Drive by downloads are dangerous install a third party app like "threatfire " from PC TOOLs and it should warn you in XP upgrade your Internet Explorer version to 8 (DEP) on by default
Score: -1
|Firefox and NoScript, enabled to block the lot until a fix arrives.
Score: 0
|Done.
Now I think would be a good time to go on vacation and not use the computer for a while.
Score: 0
|Surly a much better solution would be "Edit, Preferences, Multimedia Trust (Legacy), Permission for Adobe Flash Player is set to Never"
Score: 0
|Sandbox, anyone?
Score: -1
|Still waiting for x64 Sandboxie. :p
Running a VM just for browsing is too much overkill for me right now.
Score: 0
|FoxitReader, granted watch out for the crap bundled with it, damn you Foxit...
also, all anyone really needs is Adobe Flash, perf under Firefox, i leave IE out of the loop lol, and Silverlight, you're golden... no critical issues :P
oh, and while we're talking Adobe, go into its settings and up your privacy folks, also! install BetterPrivacy add-on if you're using Firefox, keep your PC happy and clean...
hmm, what other tidbits of information do i have to pass along today? oh yeah, your add-on options and plugins under Firefox should look as such.
http://imgur.com/XtQBU.png
note the version# Flash and SL
Score: -2
|FoxitReader, granted watch out for the crap bundled with it, damn you Foxit...
Agreed. Between the security issues and other recent printing issues we've had with Adobe Reader 8 and 9, I am seriously considering pushing our company to use Foxit Reader for viewing PDFs instead of Adobe. The crap Foxit tries to install on your PC if you don't uncheck it is a major roadblock to doing that, and I agree it is really disappointing because Foxit really does work so much better than Adobe.
Score: 0
|http://www.msfn.org/boar...n/index.php/t55676.html
Silent installer discussion regarding foxit.
Right now, we push it as part of the SMS image (installed without the crap/update turned off) and that works pretty well, but the silent install might be a consideration if you don't use SMS.
Score: 0
|I love it when some software companies treat such security issues as a mild issue when in reality it's a major issue.
Score: -1
|