Adobe Reader browse-and-get-pwned 0day under attack

malexous · 28 Oct 2010

Adobe has confirmed reports that yet another unpatched vulnerability in the latest versions of its ubiquitous software is being actively exploited to infect end users with data-stealing malware.

The vulnerability exists in Adobe's Reader document viewer and Flash Media Player for Windows, OS X and Unix operating systems, Adobe warned on Thursday. According to independent researchers, it is being exploited in the wild against Reader for Windows to install a nasty trojan known as Wisp, which according to Microsoft, steals sensitive user data and installs a backdoor on compromised systems.
...

Adobe Reader browse-and-get-pwned 0day under attack â€¢ The Register

mr pc · 28 Oct 2010

Does Adobe have any solution other than to wait and worry?

I believe I just had a Flash update this past two weeks

SledgeDG · 28 Oct 2010

Good thing I don't use the reader anymore. I just wish there was a safe alternative for the flash player (others than download the flash clip and use an external player)

Corrine · 29 Oct 2010

mr pc said:

Does Adobe have any solution other than to wait and worry?

Yes, for what it is worth, Adobe provided Mitigations, with the following for Windows users:

"Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains Flash (SWF) content.

The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat."

Borg 386 · 29 Oct 2010

About two weeks for the fix...maybe

Adobe said it expects to have a patch for Flash Player by November 9, 2010 and update for Adobe Reader and Acrobat 9.x during the week of November 15, 2010.

Fayla · 29 Oct 2010

I disabled both the reader and flash player in Firefox addons panel, would that have the same effect, or would the exploit still be able to abuse them?

Corrine said:

mr pc said:

Does Adobe have any solution other than to wait and worry?

Yes, for what it is worth, Adobe provided Mitigations, with the following for Windows users:

"Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains Flash (SWF) content.

The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat."

Borg 386 · 29 Oct 2010

Rei Tumult said:

I disabled both the reader and flash player in Firefox addons panel, would that have the same effect, or would the exploit still be able to abuse them?

It would probably be on the safe side to disable it in the fix posted above. You can just navigate to the file authplay.dll and rename it to something else, like authplay.old or aothploy.dll. You'll need to be signed on as an admin to make this change.

In the interim, the company suggests that affected users delete, rename or remove access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x.
This mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains Flash (SWF) content.