Adobe Warns of Critical Flash Vulnerability
Adobe has announced that a critical security vulnerability exists in the latest versions of Flash Player (v.9.0.159.0 and v10.0.22.87) for Mac OS X, Windows, and Linux, as well as in the authplay.dll component embedded in Adobe Reader and Acrobat v9.x for Mac, Windows, and various Unix operating systems.
The vulnerability could cause a crash that could be exploited by an attacker to gain control of the affected system, and in fact, this weakness is currently being exploited in the wild, though only in limited attacks directed at Adobe Reader 9 for Windows. An attacker could exploit this vulnerability by convincing users to visit a Web site that hosts a malicious SWF file, or by creating a PDF document that contains an embedded SWF file.
Adobe says it expects to release a fix for the Flash Player vulnerability by 30-Jul-09, and for Adobe Reader and Acrobat by 31-Jul-09. In the meantime, the company suggests Flash Player users use caution in visiting untrusted Web sites, though the only surefire way to avoid problems is by disabling Flash. For directions on disabling Flash in a variety of places and in different operating systems, see US-CERT’s Vulnerability Note VU#259425. If you use Firefox, you can use the NoScript plug-in to whitelist Flash content on specific Web sites; if you use Safari, turn to Click to Flash.
I use Camino. Do I have the same vulnerability as with Safari & Firefox?
Yes, the vulnerability would be there, since it's in the Flash plug-in, not in any individual application. As far as protecting Camino goes, it has an option to Block Flash Animations in its Web Features settings pane, but I don't know if that will block all Flash or not. Camino cannot run the NoScript Firefox plug-in, nor can it use ClickToFlash. I believe that the general approach for disabling the Flash plug-in entirely would work.
I am using Adobe Reader 8 version 1.0.0.107. Am I affected by this advisory?
Thank you