From:
http://www.adobe.com/support/security/advi.../apsa09-03.html

OH my!



Removed a large portion of the quote in order to comply with the rules of fair use.

Orange Blossom

holy cats!
nice info snkzat1 :)

Does anyone know what this site needs the adobe add-on running for? I don't see any vids...

Just heard about this myself and was compiling links to post here. Beat me to it!

Adobe recommends finding and renaming all instanced of the authplay.dll file to something like authplay-old.dll until after applying the patch which is expected by July 31. Users who do this will still suffer application crashes in programs that rely on this library, but will not be vulnerable to this exploit. The US CERT however recommends completely disabling flash or selectively enabling it only on websites which you trust. Users of Mozilla Firefox can use either the NoScript addon to permit only authorized websites to run flash content.

This vulnerability affects all platforms (Windows, Mac OSX, Linux and other Unix variants) but a yet has only been observed to be exploited on Windows systems. User of Windows Vista can use UAC to mitigate the risk of an exploit.

References:
US-CERT Advisory
US-CERT Vulnerability Note
Adobe's Advisory
Symantec's Analysis

For temporary protection :

1. Rename authplay.dll and rt3d.dll. These files are usually located in %programfiles%\Adobe\Reader 9.0\Reader. These files are used to play Flash content embedded in a PDF file.

2. Disable Flash in all browsers using NoScript or FlashBlock. It has been reported by ISC that even on legitimate sites, the execution code is being inserted to create drive-by-attacks. These attacks are fully automated - all you have to do is visit the site.

Flash Player



http://kb2.adobe.com/cps/141/tn_14157.html

Adobe on Thursday patched 12 vulnerabilities in Flash Player, including three it inherited from faulty Microsoft development code and one that hackers have been exploiting for at least a week.

Updates released on thursday:
http://www.adobe.com/support/security/bull.../apsb09-10.html

Update for Flash Player (version 10.0.32.18) :
http://www.adobe.com/go/getflashplayer

Update Adobe AIR (to version 1.5.2)
http://get.adobe.com/air/

Update for Adobe Reader 9.1 (download patch for updating to 9.1.3)
http://www.adobe.com/support/downloads/pro...latform=Windows

The sad part of all this is the fact that Adobe knew about this for over 7 months before they decide to act on it or let anyone know.

Several hacker sites has posted about this weakness back in December 2008 and were beginning to elaborate on just how to effectively exploit the weaknesses which were also reported to Adobe. Most ethical hackers (yes they exist) will notify these companies as to how and where the found weaknesses exist. Some will even go so far as to send the source code (and some variants) for the exploits so that the developers can create patches. Adobe chose to ignore this despite proof positive results that were sent to them.

ZDNet had posted about these facts in May/June of 2009 and only then did Adobe feel the need to begin working on a patch.

I realize a proactive approach is not always feasible or even realistic but you would expect a large conglomeration like Adobe to be at least reasonably "reactive". Especially when their product brands reach almost 78% of the active users.