Malaysian Computer Emergency Response Team

Services

Advisories Cyber999 Help Centre Malware Research Centre Incident Statistics

MyCERT Statistic

Reported Incidents based on General Incident Classification Statistics 2013

Help Centre

Reporting Channels

Definitions of Incidents

Cyber999 - Service Level Agreement

MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2011

MA-277.042011 : MyCERT Alert - Critical Vulnerability in Adobe Flash Player

Date of publication: 2011-04-12

1.0 Introduction

A critical vulnerability (CVE-2011-0611) has been identified in Adobe Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris operating systems, Adobe Flash Player 10.2.156.12 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions of Reader and Acrobat for Windows and Macintosh operating systems.

This vulnerability allows a remote attacker to execute arbitrary code on a vulnerable version of Adobe Flash Player. User interaction is required where a user must visits a malicious web site, or opening a PDF, Microsoft Excel (.XLS) or Microsoft Word (.DOC) file, which is embedded with a specially crafted SWF file. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system.

2.0 Impact

By exploiting this vulnerability, an attacker could execute arbitrary code on vulnerable installations of Adobe Flash and gain the same privilege as the user. This vulnerability could be exploited to install malware on the user's computer.

3.0 Affected Products

Products listed below are vulnerable to this vulnerability:

Adobe Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
Adobe Flash Player 10.2.154.25 and earlier for Chrome users
Adobe Flash Player 10.2.156.12 and earlier for Android
The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems

Please take note that this issue does not affect Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x.

4.0 Recommendation

At the time of this writing, Adobe has not released any patches to address this vulnerability. However, users are recommended to disable Flash / Shockwave support in the web browsers and Acrobat Reader.

4.1 Disable the Adobe Flash / Shockwave Player support in the browser:
For Internet Explorer user, download and install Toggle Flash plugin http://flash.melameth.com and allow or unblock Flash content only trusted site.

For Mozilla Firefox user, download and install FlashBlock plugin from http://flashblock.mozdev.org/ and allow or unblock Flash content only trusted site.

For Google Chrome user, download and install FlashBlock extension from https://chrome.google.com/extensions/detail/gofhjkjmkpinhpoiabjplobcaignabnl and allow or unblock Flash content only trusted site.
4.2 Disable the Adobe Flash / Shockwave Player support in the Acrobat Reader:
Adobe Reader and Acrobat 9.x - Windows

Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains Flash (SWF) content.

The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.

Adobe Reader 9.x - Macintosh

1) Go to the Applications->Adobe Reader 9 folder.
2) Right Click on Adobe Reader.
3) Select Show Package Contents.
4) Go to the Contents->Frameworks folder.
5) Delete or move the AuthPlayLib.bundle file.

Acrobat Pro 9.x - Macintosh

1) Go to the Applications->Adobe Acrobat 9 Pro folder.
2) Right Click on Adobe Acrobat Pro.
3) Select Show Package Contents.
4) Go to the Contents->Frameworks folder.
5) Delete or move the AuthPlayLib.bundle file.

Adobe Reader 9.x - UNIX

1) Go to installation location of Reader (typically a folder named Adobe).
2) Within it, browse to Reader9/Reader/intellinux/lib/ (for Linux) or Reader9/Reader/intelsolaris/lib/ (for Solaris).
3) Remove the library named "libauthplay.so.0.0.0"
4.3 Disable the JavaScript support for Adobe Reader and Adobe Acrobat:
Open Your Adobe Acrobat or Adobe Reader software

Navigate to Edit -> Preferences -> JavaScript

Remove the tick on the "Enable Acrobat JavaScript"

Close the Adobe Acrobat or Adobe Reader Software for change to take effect.
4.4 Utilize Enhanced Mitigation Experience Toolkit
Windows users are advised to use Enhanced Mitigation Experience Toolkit (EMET) and change your profile into "Maximum Security Settings" under "Configure System" menu. Learn more on Protecting Your Windows Computer with Enhanced Mitigation Experience Toolkit (EMET) at the following URL:

http://www.mycert.org.my/en/resources/os/main/main/detail/792/index.html

Users are also recommended to browse the Internet with least privilege user to limit the execution of the malicious file and do not open attachment or browse to unknown website received via email from unknown person.

MyCERT generally advise users to keep themselves updated with the latest security announcements by the vendor. In case the public receives any suspicious URL, .XLS, .DOC, .PDF file or .SWF file, and requires our further analysis, please reach us through the following channels:

E-mail : mycert@mycert.org.my
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT <EMAIL> <COMPLAINT> to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

5.0 References