US-CERT: United States Computer Emergency Readiness Team
Cyber Security Alert SA10-159A
Adobe Flash, Reader, and Acrobat Vulnerability
Original release date: June 08, 2010Last revised: June 29, 2010
Source: US-CERT
Systems Affected
- Adobe Flash Player
- Adobe Reader and Acrobat
Other Adobe products that support Flash may also be vulnerable.
Overview
There is a vulnerability in Flash Player that also affects Adobe Reader and Acrobat. An attacker could exploit this vulnerability to take control of your computer.
Solution
Update Flash Player
Adobe Security Bulletin APSB10-14 recommends updating to Flash Player at the Adobe Flash Player Download Center or using the automatic update feature. This will update the web browser plugin and ActiveX control, but will not update Flash support in Adobe Reader, Acrobat, or other products.
Update Reader and Acrobat
Adobe Security Bulletin APSB10-15 recommends updating to the latest versions of Reader and Acrobat (9.3.3 or 8.2.3). You can use the automatic update feature of Reader and Acrobat to download this update
To reduce your exposure to this and other Flash vulnerabilities, consider the following mitigation techniques.
Disable Flash in your web browser
Uninstall Flash or restrict which sites are allowed to run Flash. To the extent possible, only run trusted Flash content on trusted domains. For more information, see Securing Your Web Browser.
Disable JavaScript in Adobe Reader and Acrobat
Disabling JavaScript may prevent some exploits. To disable JavaScript in Acrobat, do the following:
- Open Adobe Acrobat Reader.
- Open the Edit menu.
- Choose the Preferences option.
- Choose the JavaScript section.
- Uncheck the "Enable Acrobat JavaScript" checkbox.
Disable the display of PDF documents in the web browserPreventing PDF documents from opening inside a web browser will partially protect you against this vulnerability. Applying this workaround may also protect you against future vulnerabilities.
To prevent PDF documents from automatically being opened in a web browser, do the following:
- Open Adobe Acrobat Reader.
- Open the Edit menu.
- Choose the Preferences option.
- Choose the Internet section.
- Uncheck the "Display PDF in browser" checkbox.
Do not access PDF documents from untrusted sources
Do not open unfamiliar or unexpected PDF documents, particularly those hosted on websites or delivered as email attachments. Please see Cyber Security Tip ST04-010.
Description
Adobe Security Advisory APSA10-01 describes a vulnerability in Flash Player that can also be exploited using Adobe Reader and Acrobat. This Flash content could be on a web page, in a PDF document, in an email attachment, or embedded in another file.
By convincing you to open malicious Flash content, an attacker may be able to take control of your computer or cause it to crash.
References
- US-CERT Technical Alert TA10-159A - <http://www.us-cert.gov/cas/techalerts/TA10-159A.html>
- Security Advisory for Flash Player, Adobe Reader and Acrobat - <http://www.adobe.com/support/security/advisories/apsa10-01.html>
- Security update available for Adobe Flash Player - <http://www.adobe.com/support/security/bulletins/apsb10-14.html>
- Security updates available for Adobe Reader and Acrobat - <http://www.adobe.com/support/security/bulletins/apsb10-15.html>
- Adobe Flash Player Download Center - <http://get.adobe.com/flashplayer/>
Feedback can be directed to US-CERT.
Produced 2010 by US-CERT, a government organization. Terms of use
Revision History
June 08, 2010: Initial release
June 11, 2010: Updated for APSB10-14
June 29, 2010: Updated for APSB10-15
