For those who haven’t updated their Adobe Flash player yet, here’s a pretty good reason to do so right now. Adobe just released a security advisory Friday reporting a critical vulnerability in Adobe Flash Player version 10.0.45.2 and its earlier versions for Macintosh, Linux, Windows and Solaris operating systems. It also affects the authplay.dll component found in Adobe Flash Player and Adobe Acrobat products version 9.3.2 and below. Adobe reports that the said security vulnerability “could cause a crash and potentially allow an attacker to take control of the affected system.”
Adobe was also quick to note that there were reports that this security flaw is being maliciously exploited. However, it failed to provide a concrete look on how attackers have taken control of Adobe Flash Player and Adobe Acrobat Reader.
Perhaps Steve Jobs, notorious for his adamant refusal to ship iPads with Adobe Flash Player, seem to have proven himself wise in refusing to integrate it in the iPad system. Jobs have waded through months of public lambasting from Adobe Flash Player’s fans when he announced that iPad will not carry the player in iPad earlier this year. Deemed as one of iPad’s caveat, the lack of Adobe Player support seems justified in terms of security vulnerabilities.
To date Adobe has not released a security patch to address this issue. So what are Adobe users to do?
Adobe suggests that Adobe Flash Player version 10.0.45.2 users upgrade to the newer Adobe Flash Player 10.1.53.64. Users of Adobe AIR 22.214.171.12430 and earlier versions are recommended to download the latest Adobe AIR 126.96.36.19910. For those who can’t use the auto-update tool built-in the program, users can safely download a patched version of Flash Player 9, Flash Player 9.0.277.0 available for download at http://www.adobe.com/go/kb406791.
A manual tweaking solution can also be done for those stuck with the flawed version Adobe Flash Player version 10.0.45.2. Deleting, renaming or removing the authplay.dll file from installations of Reader and Acrobat 9.x will fix the security flaw.
This file can be usually found at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader and at C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Adobe Acrobat. This fix, however, reportedly will not prevent Reader or Acrobat from crashing when a PDF file containing SWF content is opened.
For those who want more in-depth details, they can check out http://www.adobe.com/support/security/bulletins/apsb10-14.html which enumerates the flaws found in this version of Adobe Flash Player 10. This also provides a step-by-step guide to the manual fix for Adobe Acrobat Acrobat Pro 9 and Reader 9 for Macintosh and Adobe Reader 9 for UNIX.
For the average user, however, these security update details are presented vaguely that it leaves more questions than answers. The quickest way to deal with this is to update to the newest version. No use mulling over what the phrase “could allow the attacker to take control of the affected system”. Adobe does not offer any explanation how that happens and what it means for your security. Their product messed up. Their sorry, that’s it.