Adobe Reader update patches bugs, removes bundled Flash Player
Four critical vulnerabilities were addressed and several security changes were made in Adobe Reader 10.1.3 and 9.5.1
IDG News Service - Adobe Systems released new versions of Adobe Reader 10.x and 9.x on Tuesday, addressing four arbitrary code execution vulnerabilities and making several security-related changes to the product, including the removal of the bundled Flash Player component from the 9.x branch.
All of the vulnerabilities fixed in the newly released Adobe Reader 10.1.3 and Adobe Reader 9.5.1 versions could be exploited by an attacker to crash the application and potentially take control of the affected system, Adobe said in its APSB12-08 security bulletin. Users are advised to install these updates as soon as possible.
The company also announced that Adobe Reader 9.5.1 no longer includes authplay.dll, a Flash Player library that was bundled with previous versions of the program to enable the rendering of Flash content embedded in PDF documents.
The presence of the authplay.dll component in Adobe Reader has caused some security issues in the past, primarily because of the inconsistent update schedules for Adobe Reader and Flash Player.
Authplay.dll contains much of the stand-alone Flash Player's code, which also means that it shares most of the latter's vulnerabilities. However, while Flash Player is patched by Adobe when needed, Adobe Reader used to follow a more strict quarterly update cycle.
This often resulted in situations where some known vulnerabilities got patched in Flash Player, but remained exploitable through authplay.dll for months, until the next scheduled update for Adobe Reader.
Such is the case with the new Adobe Reader 10.1.3 version, which incorporates three previous Flash Player security updates that were released separately during the last three months.
Starting with Adobe Reader 9.5.1, Adobe Reader 9.x will use the stand-alone Flash Player plug-in that's already installed on computers for browsers like Mozilla, Safari or Opera, in order to play Flash content in PDF files.
This functionality will not work with the ActiveX-based Flash Player plug-in for Internet Explorer or the special Flash Player plug-in version bundled with Google Chrome.
Adobe plans to remove authplay.dll from the 10.x branch of Adobe Reader in the future as well and is currently working on APIs (application programming interfaces) to make this possible, said David Lenoe, group manager for Adobe's Product Security Incident Response Team (PSIRT), in a blog post Tuesday.
Vulnerability management vendor Secunia welcomes Adobe's decision to remove authplay.dll from Adobe Reader, because it will make addressing Flash vulnerabilities easier for users, Secunia's chief security specialist, Carsten Eiram, said.
"However, the default option in Adobe Reader should be to not support Flash content in PDF files, requiring users to specifically enable this," Eiram said. "Most users do not need it and Flash content embedded in PDF files has historically been exploited as a vector to compromise Adobe Reader users' systems."
- The Pivotal Big Data Suite- Reducing the Risks of Big Data The explosion of big data and the rapid evolution of big data tools and technologies is challenging IT to meet the demands of...
- A Survival Guide for Data in the Wild All corporate data used to reside in the data center. Safe and sound behind the corporate firewall. But now, employees have multiple devices...
- Transforming Security: Designing a State-of-the-Art Extended Team The information security mission is no longer about implementing and operating controls.
- The Big Data Security Analytics Era Is Here New security risks and old security challenges often overwhelm legacy security controls and analytical tools.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!