adobe flash player zero day vulnerability

prairie dog · 23. Jul 2009, 02:41 PM

http://news.softpedia.com/news/Adobe...d-117379.shtml

MidnightCowboy · 23. Jul 2009, 04:42 PM

The last part of the article is the best:

The company notes that deleting, renaming, or removing access to authplay.dll will mitigate the PDF attack vector. Meanwhile, Firefox users can employ the NoScript extension, which blocks flash movies by default, to protect themselves. However, the only advice to Internet Explorer users is to exercise extra caution when browsing untrusted websites and to keep antivirus definitions up-to-date.

This is MC's advice to IE users - dump it!

prairie dog · 23. Jul 2009, 04:58 PM

Quote:

Originally Posted by MidnightCowboy

The last part of the article is the best:

The company notes that deleting, renaming, or removing access to authplay.dll will mitigate the PDF attack vector. Meanwhile, Firefox users can employ the NoScript extension, which blocks flash movies by default, to protect themselves. However, the only advice to Internet Explorer users is to exercise extra caution when browsing untrusted websites and to keep antivirus definitions up-to-date.

This is MC's advice to IE users - dump it!

agreed

Firefox with noscript

Anupam · 23. Jul 2009, 07:32 PM

Adobe Reader has had serious vulnerabilities in the past, and still continues to have. Thankfully, other alternatives are available now, and less bloated than the Adobe Reader... so users are happy to switch... atleast I am.

Now with vulnerabilities surfacing in Adobe Flash Player too, since a few months... its time for Flash Player alternative? Is MS Silverlight the answer? But, MS products like IE are already suffering from vulnerabilities.

Firefox users also cannot be too sure they are protected with the NoScript fully. Because, there are always sites which people trust, and send them to the whitelist... like I do. So, if any of those whitelists sites are compromised, then it may affect their systems too.

What are the options... blocking flash completely until Adobe releases the patch? I think users using Sandboxie, or similar products, are safer.

Anupam · 27. Jul 2009, 08:25 PM

Here is more about the vulnerability in Adobe Flash Player, and Adobe Reader. Updates will be released till July 30th or 31st.

http://www.adobe.com/support/securit...apsa09-03.html

mr6n8 · 27. Jul 2009, 08:51 PM

Well this showed me a weakness in the Secunia Online Scanner.

The scanner gives me a green on my Adobe Flash Player 10.0.22.87, even though the site has this advisory listed.

I guess the online scanner only shows a program (that has an insecurity) as insecure when the patch or update for the security risk is released.

Anupam · 27. Jul 2009, 09:09 PM

After looking at your post, I ran a scan with Secunia PSI program on my PC.

Under "Secure Browsing", it indicates that the Adobe Flash Player installed is insecure, and has a link which points to the vulnerability discovered.
So, they have not yet updated this in their online scanner?

It also shows Firefox 3.5.1 as insecure, and has a link which points to URL spoofing... though it has been indicated as being less critical. But says that it is a confirmed vulnerability nonetheless.

Interestingly, it also shows Media Player Classic on my PC, as end of life program.

mr6n8 · 28. Jul 2009, 01:25 PM

I had that Secunia program on my PC, but deleted it as I figured I would just use the online scan.

After reading your post, I think the online is not as effective. It must only update when a patch is released. (I just checked and it still shows OK)

I found this in their FAQ

Quote:

Secunia Research develops new detection rules every time a vendor releases a security patch for any vulnerability in a product detected by the Secunia PSI. For example, new detection rules are created after every Microsoft Tuesday patch cycle, as this allows the Secunia PSI to check if your Windows systems patches are up to date or not.

Why it is different for the desktop version, I do not know.

The desktop version also showed MPC as end of life for me.

Thanks for the update. I am going to re-download the desktop version.

Anupam · 28. Jul 2009, 01:47 PM

As per their FAQ, I think they only update it when the vendor has released the patch. We should confirm it after Adobe has released the patch for Flash Player and the Adobe Reader.

Maybe Secunia wants people to use their desktop version more? Don't know.

I stopped using Adobe Reader long ago, when I felt their product had started to get bloated. Now, I use Sumatra Pdf and PDF Xchange Viewer.

Anupam · 30. Jul 2009, 08:52 PM

A patched and updated version of Adobe Flash Player has been released, and is available on download sites like MajorGeeks, and FileForum.

All are requested to install it as soon as possible, because its a critical update which patches a critical vulnerability in the previous version.

23. Jul 2009, 02:41 PM	#1 (permalink)
prairie dog Senior Member Join Date: Apr 2009 Location: Northern US Posts: 134	adobe flash player zero day vulnerability http://news.softpedia.com/news/Adobe...d-117379.shtml

23. Jul 2009, 04:42 PM	#2 (permalink)
MidnightCowboy Site Manager Join Date: Aug 2008 Location: South American Banana Republic, third bunch from the left Posts: 15,233	The last part of the article is the best: The company notes that deleting, renaming, or removing access to authplay.dll will mitigate the PDF attack vector. Meanwhile, Firefox users can employ the NoScript extension, which blocks flash movies by default, to protect themselves. However, the only advice to Internet Explorer users is to exercise extra caution when browsing untrusted websites and to keep antivirus definitions up-to-date. This is MC's advice to IE users - dump it! __________________ Buy a Hoover and prove technology sucks.

23. Jul 2009, 07:32 PM	#4 (permalink)
Anupam Super Moderator Join Date: Jul 2008 Location: India Posts: 15,311	Adobe Reader has had serious vulnerabilities in the past, and still continues to have. Thankfully, other alternatives are available now, and less bloated than the Adobe Reader... so users are happy to switch... atleast I am. Now with vulnerabilities surfacing in Adobe Flash Player too, since a few months... its time for Flash Player alternative? Is MS Silverlight the answer? But, MS products like IE are already suffering from vulnerabilities. Firefox users also cannot be too sure they are protected with the NoScript fully. Because, there are always sites which people trust, and send them to the whitelist... like I do. So, if any of those whitelists sites are compromised, then it may affect their systems too. What are the options... blocking flash completely until Adobe releases the patch? I think users using Sandboxie, or similar products, are safer. __________________ Anupam

27. Jul 2009, 08:25 PM	#5 (permalink)
Anupam Super Moderator Join Date: Jul 2008 Location: India Posts: 15,311	Here is more about the vulnerability in Adobe Flash Player, and Adobe Reader. Updates will be released till July 30th or 31st. http://www.adobe.com/support/securit...apsa09-03.html __________________ Anupam

27. Jul 2009, 09:09 PM	#7 (permalink)
Anupam Super Moderator Join Date: Jul 2008 Location: India Posts: 15,311	After looking at your post, I ran a scan with Secunia PSI program on my PC. Under "Secure Browsing", it indicates that the Adobe Flash Player installed is insecure, and has a link which points to the vulnerability discovered. So, they have not yet updated this in their online scanner? It also shows Firefox 3.5.1 as insecure, and has a link which points to URL spoofing... though it has been indicated as being less critical. But says that it is a confirmed vulnerability nonetheless. Interestingly, it also shows Media Player Classic on my PC, as end of life program. __________________ Anupam

27. Jul 2009, 08:51 PM	#6 (permalink)
mr6n8 Senior Member Join Date: May 2008 Posts: 424	Well this showed me a weakness in the Secunia Online Scanner. The scanner gives me a green on my Adobe Flash Player 10.0.22.87, even though the site has this advisory listed. I guess the online scanner only shows a program (that has an insecurity) as insecure when the patch or update for the security risk is released.

28. Jul 2009, 01:47 PM	#9 (permalink)
Anupam Super Moderator Join Date: Jul 2008 Location: India Posts: 15,311	As per their FAQ, I think they only update it when the vendor has released the patch. We should confirm it after Adobe has released the patch for Flash Player and the Adobe Reader. Maybe Secunia wants people to use their desktop version more? Don't know. I stopped using Adobe Reader long ago, when I felt their product had started to get bloated. Now, I use Sumatra Pdf and PDF Xchange Viewer. __________________ Anupam

30. Jul 2009, 08:52 PM	#10 (permalink)
Anupam Super Moderator Join Date: Jul 2008 Location: India Posts: 15,311	Adobe Flash Player released A patched and updated version of Adobe Flash Player has been released, and is available on download sites like MajorGeeks, and FileForum. All are requested to install it as soon as possible, because its a critical update which patches a critical vulnerability in the previous version. __________________ Anupam

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode