Posted by: Ken Harthun
acrobat, Adobe, adobe reader, Critical update, Firefox add-on, Foxit Reader, Vulnerabilities, Zero-day vulnerability
There are those of us who haven’t used Adobe’s Acrobat Reader in years, choosing alternatives like the free FoxIt Reader, or Open Source Xpdf instead. My reason at first was simply that Acroreader is bloatware, took forever to load and used up too much memory; these days, my reason includes the terribly insecure software Adobe insists on releasing. Unfortunately, it’s hard to get away from Flash on the web, but there is an alternative player/plugin that I’ll talk about in a moment. And here we go with business as usual:
Security Advisory for Flash Player
Release date: September 13, 2010
Vulnerability identifier: APSA10-03
CVE number: CVE-2010-2884
A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.
We’ll have to wait until the week of September 27, 2010 for the Flash patch, and the week of October 4, 2010 for the Reader/Acrobat patches.
What can you do? Unless you absolutely have to have Reader/Acrobat for some reason, switch to an alternative such as one of those I mentioned above. FoxIt Reader integrates nicely with Firefox. There’s another FF add-on that’s an alternative to Adobe: gPDF is a handy tool to view PDF, DOC, DOCX and PPT files online, using Google’s Docs Viewer.
Next, disable Shockwave Flash plugin. Download and install Swiff Player (current version 1.7), a Free stand-alone player that enables web designers and Flash users to easily play Flash movies. When you install it, it also becomes the default player for .swf files on the web. Sweet, eh? Swiff Player is very fast, too. This won’t eliminate Flash (Swiff Player requires it), so I’m not sure exactly what is gained, but it’s an extra layer for hackers to penetrate, so it just might break a Flash exploit by introducing a misdirection.
Anyone have any thoughts on this?