You phone 911 to report an emergency in your home – a fire, burglary, accidental fall; I’ll let you use your imagination to expand on this list. While you’re imagining; imagine this – the 911 operator instructs you not to worry, help will arrive within a week or so.
Computer users running Adobe Flash player (versions 9 and 10), as well as Adobe Reader and Acrobat 9.1.2, are currently subject to attack by cyber-criminals capitalizing on a zero-day vulnerability, and find themselves in an analogous position.
This is an extremely serious vulnerability which could result in a successful takeover of an attack victim’s computer through remote code execution. Like the 911 operator above, Adobe’s response to this vulnerability is, don’t worry we’ll get to you, we’ll fix it – just not now.
According to Adobe:
“We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009 (the date for Flash Player v9 and v10 for Solaris is still pending). We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX by July 31, 2009.”
To read the rest of Adobe’s response checkout “Security advisory for Adobe Reader, Acrobat and Flash Player”, at the Adobe site.
If you are like most computer users, you were probably only minimally interested in installing the latest updates of Adobe products since you may not have been aware of the important security patches they contain. In fact, you may not be aware of how important it is to keep all installed applications up to date, and patched.
Save yourself a lot of time and aggravation, and ensure that all your installed applications are always patched and up to date, by installing Secunia PSI, a free application which scans your PC for installed application vulnerabilities. In this case, it would have notified you of the Adobe vulnerabilities.
Without Secunia PSI installed, you leave yourself open to attacks and exploits that seem to be increasing in frequency.
Consider this from ZDNet:
Ten free security utilities you should already be using –
Number one is the Secunia Personal Software Inspector, quite possibly the most useful and important free application you can have running on your Windows machine.
For more information on Secunia PSI please read “Play Russian Roulette – Don’t Update Your Applications”, on this site. This review of Secunia PSI includes download links.
In the meantime: Steps you can take while waiting for Adobe to issue these critical patches –
As always, be cautious when browsing untrusted websites
Ensure your AV definitions are current
If you are running FireFox you should be running the NoScript add-on, and you might consider installing and running the Flashblock add-on. Both offer substantial protection. This solution is not perfect however, and you may still be vulnerable.
Run all software as a non-privileged user with minimal access rights.
Frankly, I do not use, nor would I ever use, an Adobe product on any of my systems. These zero day exploits against Adobe products seem to be never ending.
To read a comprehensive technical report on this issue, check out “Heap Spraying with Actionscript – Why turning off Javascript won’t help this time”, on the FireEye Malware Intelligence Lab site.
If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.
Bill Mullins' Weblog - Tech Thoughts 