Adobe has released a “Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat (Vulnerability identifier: APSA11-02; CVE number: CVE-2011-0611)
SUMMARY
A critical vulnerability exists in Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 10.2.156.12 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.
This vulnerability (CVE-2011-0611) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment, targeting the Windows platform. At this time, Adobe is not aware of any attacks via PDF targeting Adobe Reader and Acrobat. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.
We are in the process of finalizing a schedule for delivering updates for Flash Player 10.2.x and earlier versions for Windows, Macintosh, Linux, Solaris and Android, Adobe Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.2) for Macintosh, and Adobe Reader 9.4.3 and earlier 9.x versions for Windows and Macintosh. Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.
AFFECTED SOFTWARE VERSIONS
• Adobe Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
• Adobe Flash Player 10.2.154.25 and earlier for Chrome users
• Adobe Flash Player 10.2.156.12 and earlier for Android
• The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems
NOTE: Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by this issue.
SEVERITY RATING
Adobe categorizes this as a critical issue.
DETAILS
A critical vulnerability exists in Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 10.2.156.12 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.
This vulnerability (CVE-2011-0611) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment, targeting the Windows platform. At this time, Adobe is not aware of any attacks via PDF targeting Adobe Reader and Acrobat. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.
We are in the process of finalizing a schedule for delivering updates for Flash Player 10.2.x and earlier versions for Windows, Macintosh, Linux, Solaris and Android, Adobe Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.2) for Macintosh, and Adobe Reader 9.4.3 and earlier 9.x versions for Windows and Macintosh. Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.
Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at http://blogs.adobe.com/psirt or by subscribing to the RSS feed at http://blogs.adobe.com/psirt/atom.xml.
Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.
Source: Adobe Systems Incorporated
MacDailyNews Take: Too easy.
But WTF wants to “take control” of a windows POS? The only reason people have Winwoes is because its free, and as such they get what they DIDNT pay for.
Russian, Chinese and Danish spam factories. Bots, Bots and more Bots.
Facepalm.
Once Flash for mobiles actually ships and consumers see what a completely ridiculous and wildly overhyped bunch of junk it is, all those mobile platform vendors will be stuck having to rely on Adobe to roll out security patches and updates. And they’ll be forced to keep their fingers crossed that Adobe, which hasn’t bothered to invest the resources to maintain two decent desktop versions of Flash Player, will now suddenly decide to maintain five different new mobile versions of Flash Player and keep them all up to date, secure, performing acceptably, and in feature parity. All at the expense of their own native software platforms.
Steve Jobs couldn’t wish for a better virus to weaken rival smartphone platforms.
I removed Flash from my Mac. I don’t want those ‘tards to include me when they say 98% of computers have Flash installed.
I removed it from my older PowerBook, left it on my newer Mac mini with Click2Flash.
Unfortunately there is enough video out there that is Flash only.
Yeah, like XVideos. Otherwise, I’d be flash free.
WINNING!!!!!!!
TAKE THAT APPLE!!! can you iOS run the latest and greatest viruses???? I think NOT!!!!
Fandroid users have the freedom to run every virus they want, and even those that they don’t want…
Awsome.
You are nuts.
I have some business requirements for Flash on a PC, but I keep that POS sandboxed in its own copy of XP running on VMWare.
I don’t run Flash on my mac, android phone or the other PC at home.
I can’t say that I have had a single instance of using Android online where something required flash.
I’m not sure why you’d need to run Flash on Android and its not needed in my experience.
Acrobat is almost as bad, they patch that thing constantly too. Every point release removes some functionality because they discovered it was exploitable.
This is the sixth critical patch for Flash this year and we’re barely 4-months in.
And each security update makes it more and more of a CPU hog.
“iOS users unaffected”
Until this: Adobe recently announced plans to combine Flash with PHP programming resulting in Flash apps that run without Adobe Air, allowing them to run *GASP* on iOS. 😯
This is awful. For all these years Flash has been the very foundation of the internet. The free exchange of ideas will come to a virtual standstill if people are afraid to use Flash.
There will be widespread panic and depression. Grown men will weep in public. Steaks will be undercooked and shoes won’t fit properly. My world is shattered. No. Wait. I use iOS. I don’t have to care.
GM warns of major problem in fuel motors, bike users unaffected.
It’s something very outdated. I remember the days I used to be in college when this blog post was published.