Vulnerability: APSA10-01 - Security Advisory for Flash Player, Adobe Reader and Acrobat
Back to Latest vulnerabilities homepage
Click any highlighted term for further explanation.
| Details | |
|---|---|
| Vulnerability name/brief description |
Security Advisory for Flash Player, Adobe Reader and Acrobat |
| CVE/CAN name | CVE-2010-1297 |
| Vendor threat level | Critical |
| SophosLabs threat level | High |
| Solution |
Not available (scheduled for 10 June, 2010) |
| Vendor description | A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat. |
| SophosLabs comments | The vulnerability allows the attacker to create malicious PDF files containing a Flash animation that attempts to exploit a vulnerability in Adobe Flash player. SophosLabs have received several samples that attempt to exploit this vulnerability. SophosLabs advises you to follow the mitigation steps: Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader 9.x and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content. The authplay.dll that ships with Adobe Reader 9.x and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat. More details about the mitigation steps can be found in the Adobe advisory. The vendor patch for Flash Player 10.x is currently scheduled for 10 June 2010 and the patch for Adobe Reader for 29 June 2010. |
| SophosLabs testing result | Two workaround techniques have been tested on the known exploit samples. The officialy recommended technique of disabling the authplay.dll dynamic library prevented the exploit from working. All currently seen exploits also rely on JavaScript being enabled in the Adobe Reader so disabling JavaScript also prevents all currently known exploits from working. All known exploits deliver, as a final payload, an executable file proactively detected by Sophos as Mal/DownLdr-AC. This detection was published in September 2008. |
| Currently known exploits | Troj/SWFDlr-S - CVE-2010-1297 Troj/PDFEx-DN - CVE-2010-1297 |
| First sample seen | June 07, 2010 |
| Discovery date | June 04, 2010 |
| Affected software | Adobe Flash Player 10.0.45.2, 9.0.262, and earlier 10.0.x and 9.0.x versions for Windows, Macintosh, Linux and Solaris Adobe Reader and Acrobat 9.3.2 and earlier 9.x versions for Windows, Macintosh and UNIX |
| References | http://www.adobe.com/support/security/advisories/apsa10-01.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-1297 |
| Credits | |
| Revisions | June 8, 2010 - Initial Revision |
Explanation of terms
Vulnerability Name/Brief Description:
Vendor identifier plus a brief description of the type of attack.
CVE/CAN Name:
Currently assigned CVE name. If a CVE name doesn't exist the CAN name will be used until a CVE has been assigned.
Vendor Threat Level:
Threat level assigned by the vendor
SophosLabs Threat Level:
Threat level assigned by SophosLabs
- LOW RISK - There is little chance of this vulnerability being actively exploited by malware.
- MEDIUM RISK - There is a possibility of this vulnerability being actively exploited by malware.
- HIGH RISK - There is a strong possibility of this vulnerability being actively exploited by malware.
- CRITICAL RISK - This vulnerability will almost certainly be actively exploited by malware.
Solution:
Vendor-supplied Patch identifier and recommended solution, or workaround if applicable.
Vendor Description:
Summary of the cause and potential effect of the vulnerability provided by the vendor.
SophosLabs Comments:
SophosLabs' opinions and observations of the vulnerability in question.
SophosLabs Testing Result:
Details of completed lab testing, if applicable. Please note that the lab test environment may differ significantly from user environments.
Currently Known Exploits:
List of identities for known exploits, if applicable.
First Sample Seen:
Date of the first sample seen by SophosLabs.
Discovery Date:
Date of the earliest known publically disclosed advisory.
Affected Software:
Vulnerable platforms and software versions.
If you need more information or guidance, then please contact technical support.
- Article ID: 111149
- Created: 8 Jun 2010
- Last updated: 28 Sep 2010
