Adobe Flash NOW PATCHED; Reader/Acrobat NOW PATCHED Unspecified Code Execution Vulnerability

While not mentioned here, on previous occasions when Reader had a Flash-based vulnerability, a work-around was to rename the file  authplay.dll  , which is located in

C:\Program Files\Adobe\Reader 9.0\Reader

Should Reader need to access Flash-based content, this will result in a ("controlled") crash of Reader... which is considered preferable to allowing the vulnerability to take control of your system.

I am  assuming  this is a viable mitigation this time as well.

Just a reminder that SpywareBlaster can set a killbit for FlashPlayer (Tools>Flash Killer) that temporarily disables Flash content in IE.

This is completely reversible, when a patch is issued.

i just want to emphasize one point in Joe's post:  SpywareBlaster can set the killbit for Flash in IE.   So as I read that, it will not "kill" flash in other browsers (FF, Opera).   [Granted,  NoScript  can block Flash in FF]   And there's also the matter of whether one is subject to this vulnerability simply by having Flash installed on their system --- even if it's killed/blocked in IE/FF.

If Secunia is saying that that the extremely critical vulnerability is in Adobe Flash, due to an "unspecified error when parsing Flash content",  and SWB claims it can "completely disable Flash content and downloads" via Flash Killer in IE, then I would have thought this sufficient as a temporary workaround, at least for IE.

But I don't know this for a fact, and your point is well-taken. PSI still shows this vulnerability in both IE and FF, despite the IE killbit enabled, and NoScript enabled in FF.

I do know that PSI shows no Flash vulnerability in my Opera browser, where Flash is not installed.

Secunia's "solution" that a patch for Flash will be forthcoming, is no solution at all in the interim!

It seems to me the only guaranteed options to stay safe until then are:
- uninstall Flash from all your browsers, and your computer, pending this patch, or
- surf with a sandboxed browser, or
- stay offline.

Ya pays yer money, and ya takes yer chances ...

It should confirm that Flash is installed! You can also confirm this in Opera via Tools / Advanced / Plug-ins But yes, Secunia's PSI does NOT list it under Opera.

You are correct, of course, but ...

When I go to that website using Opera 10.62, it asks me to download that Flash plug-in, which I have never chosen to do. And it is not listed in my list of Opera plug-ins. This is true on both computers with Opera installed.

I did not uninstall Flash Player on either computer, but I presume that my Opera is Flash-free, and thus not vulnerable. Who knows, however, when talking about "unspecified" vulnerabilities!

Browsing without Flash enabled is quite a pain.

Odd that PSI doesn't report any vulnerability in Opera's Flash for you, though!

Edit: OK, I see what I did. With the upgrades to the latest versions of both FF and Opera, I never installed Flash in either (which I had done previously) since I use mainly IE8. So my statement that PSI showed this as vulnerable in FF was incorrect- it does not.

Adobe announced on their PSIRT blog that they will be moving the Flash patch up to [Monday], September 20th, a week earlier than previously reported. This is likely because the flaw is being actively exploited in the wild.

Fixes for Reader and Acrobat are still scheduled for October 4th

Adobe Flash Player 10.1.85.3

first, download and run the  UNinstaller to remove older versions:  http://download.macromedia.com/pub/flashplayer/current/uninstall_flash_player.exe ActiveX Flash

ActiveX Flash Player for IE/Windows:  http://get.adobe.com/flashplayer/thankyou/?installer=Flash_Player_10.1_for_Windows_Internet_Explorer

Plug-in Flash Player for FF/Opera (Windows):   http://get.adobe.com/flashplayer/thankyou/?installer=Flash_Player_10.1_for_Windows_-_Other_Browsers

( Note:  As of Tuesday morning, Secunia's PSI is acknowledging that these updates are secure. )

Hello KY331,

Thank you for the information and I understand the 32bit Flash Player and my IE 8.

Now when I open my IE 8 in x64 and go to the Adobe Flash site, I find something call "Flash Square" that will work in x64 IE and in IE 9. Is it worth downloading that version of the Adobe Flash as well?

ie: http://download.macromedia.com/pub/labs/flashplayer10/flashplayer_square_p1_64bit_activex_091510.exe

Regards

Snow,

I don't have an x64 bit system, so I have no first-hand knowledge of this matter.

Looking at the following webpage:  http://labs.adobe.com/technologies/flashplayer10/  , I see that:  

Flash® Player "Square" is a preview release that enables native 64-bit support on... Windows, ... so that users can test existing content and new platforms for compatibility and stability. Because this is a preview version of Flash Player, we don’t expect it to be as stable as a final release version of Flash Player. Use caution when installing Flash Player "Square" on production machines.

These capabilities will be supported in future releases of Flash Player... Native 64-bit support will be available in Flash Player during the first half of 2011.

Does "regular" Flash work in your IE8x64?   (It may not be as "full featured" as the square version.)   Based on my read of the situation, it might be wisest/safest to wait until these new features are incorporated into the "mainstream" distribution of Flash early next year.    Perhaps someone who has actually tried it out can offer a more definitive view on the matter.

Hi KY331,

Thank you.

I will not try it yet. I am content with the present flash in my IE 8 x32 running in my Win 7 x64 Ultimate. However I shall diligiently watch what people like you discuss in here & follow as when it is appropriate.

Regards

Adobe Reader 9.4 [ or 8.2.5 ] has now been released, fixing this problem.