Adobe has released a security advisory to alert users of a vulnerability affecting the following products:

  • Adobe Flash Player and earlier versions for Windows, Macintosh, Linux, and Solaris
  • Adobe Flash Player and earlier versions for Google Chrome users
  • Adobe Flash Player and earlier versions for Android 
  • The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh.

Exploitation of this vulnerability may allow an attacker to execute arbitrary code or cause a denial-of-service condition. At this time, the vendor has not released a fix for this vulnerability. The Adobe advisory indicates that this vulnerability is being actively exploited via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment.

Adobe has indicated that it expects to release a fix for this vulnerability during the week of March 21, 2011. In the interim, users and administrators are encouraged to implement the following workarounds to help reduce the risks.
  • Disable Flash in the web browser as described in the Securing Your Web Browser document.
  • Disable Flash and 3D & Multimedia support in Adobe Reader 9 and later.
  • Disable JavaScript in Adobe Reader and Acrobat.
  • Prevent Internet Explorer from automatically opening PDF documents.
  • Disable the displaying of PDF documents in the web browser.
  • Enable DEP in Microsoft Windows.
  • Utilize Microsoft EMET to enable runtime mitgations for Microsoft Internet Explorer and Excel.

The Vulnerability Team adviced to users and administrators to review and apply the updates notifications
necessary to help mitigate the risks.

source: us-cert.org 

0 comentarios: