Users of Adobe products (i.e. almost all the web surfers) are in serious danger (well, not exactly breaking news).
Critical bugs in Flash Player and Acrobat, both allowing arbitrary remote code execution, are being exploited in the wild.

Adobe just released a Flash Update addressing the player vulnerability, which has been abused in real world attacks for more than 6 weeks. Notice that the FlashBlock work-around suggested by the iDefense bulletin is bogus: as we already clarified a few times, FlashBlock can't be relied upon as a security defense. The only reliable means to protect yourself against Flash-based 0 day attacks like these are either disabling the Flash Player plugin globally, or using NoScript's content blocking features to selectively enable only the Flash applets you trust.

Regarding the Acrobat flaw, Adobe announced that a patch won't be available until March the 11th. In the meanwhile many sources, including Adobe itself, recommend to disable JavaScript execution in Acrobat's options, but again the suggested work-around is not effective: disabling Acrobat's JavaScript does not prevent the vulnerability from being exploited. As always, you should be very careful in opening PDF files you receive by email, and use NoScript to prevent automatic exploitation on the web: NoScript's default deny policy applies to all the plugin content, indeed, including PDF.

13 Responses to “Upgrade Flash and Turn Off Acrobat, NOW!”

  1. #1 Basti says:

    Bad news, not new to me... the whole Internet is full of it. Flash is known to be exploited, but what did happen to PDF? It has been said. "Never open attachments if you receive some without asking for them. If it's PDF it's OK, those files are clean." This is wrong, but I guess most people think it's harmless.

    More bad things happen lately or my focus has changed. It's worse.

    It does not help in this case, but turning off JavaScript if a good idea. Especially if it's not needed.

  2. #2 Alan Baxter says:

    pdf secured and flash updated. Thanks for the heads up.

  3. #3 says:

    Actuliaza Flash y deshabilita adobe ya! [ENG]

    [C+P+T] Los usuarios de productos de Adobe (osea, casi todos los usuarios de internet) estan en serio peligro (bueno, esto no exactamente una novedad) Bugs críticos en Flash Player y Acrobat, ambos permitiendo ejecución de codigo arbitrario, están s...

  4. #4 for the Bold in the Wild… | BlackBerry Hack says:

    [...] » Upgrade Flash and Turn Off Acrobat, NOW! [...]

  5. #5 MattJ says:

    Basti says:

    It has been said. "Never open attachments if you receive some without asking for them. If it’s PDF it’s OK, those files are clean."

    Who said that?? You were right, after all: that IS wrong. Just because it is PDF is no guarantee it is 'clean'.

  6. #6 Tom T. says:

    I got rid of Acrobat reader when it swelled from 40 MB (5.0) to 167 MB (8.0( to 345 MB (9.0). Figured if all I wanted to do was open pdfs, why did I need whatever was swelling it? Got Foxit 2.0 Reader from 3w dott foxitsoftware dott calm (freeware, no nag). Total ProgFiles folder is less than 4 MB, i.e., two full orders of magnitude less than Adobloat. And has *no* JavaScript reader. So am I vulnerable to this pdf attack? Check it out...

    BTW, Foxit added the "feature" of JS in 2.1 and later (I think). You should be able to find the older one, perhaps at oldversion daht comm or search for it.

  7. #7 Tom T. says:

    @Giorgio: As I've posted before, I do almost all web browsing with Fx and NS running inside Sandboxie. (sandboxie point kom, free but nag) From what I've read, it really should prevent major damage from exploits like these and any others yet to be discovered. The exploit gives the attacker the same privileges as the user, which is "none": Nothing done inside the sandbox can affect anything outside it (like your hard drive, system files, data files, or anything else).

    We all know that you're very overloaded at the moment, but *some day*, could you please check out Sandboxie and verify or deny the developer's claims? It would be an additional level of protection, not a replacement for NS (nothing is :-), and perhaps the only way to view *any* Flash safely, since trusted sites can become compromised. Layered protection, and a powerful combination. Thanks!

  8. #8 Basti says:


    It has been said. "Never open attachments if you receive some without asking for them. If it’s PDF it’s OK, those files are clean."

    Who said that??

    I didn't quote anyone special, but several security experts considered PDF as safer as video files or images/pictures. This was the case as long as there wasn't an exploit. No file that can trigger an error, no security problem. No bullets that hit your body, no armor is needed. That does not mean that it would be safer...

  9. #9 Morgan Storey says:

    I had a look at sandboxie and thought it was pretty good, but I didn't like the nag screen. I found MS actually had "drop my rights" just a small exe that you use to call your program, in this case firefox, IE, or outlook (though outlooks plugins don't wsork). It effectively runs the program with guest privledges, so very little.
    Of course if it seems dodgier that usual I will fire up a VM and browse in there, then revert to a previous snapshot.

  10. #10 Anon says:

    Just upgraded to the latest flash ( and had my Firefox 3.0.6 crash for the first time since October 2008.

    The previous version of Flash 10 had no stability problems.

  11. #11 Tom T. says:

    @Morgan Storey:

    Yes, I should have mentioned that if you get v3.02 or earlier (Nov 07, I think), the nag screen is only a small one that can be deleted instantly without even a click -- just hit Enter (OK is highlighted.) I've avoided updates for that reason.

    I use DropMyRights also, but it's not as restrictive as SB. I believe it strips only admin privilege, so you are left with "user" privilege, which is a higher level than "guest". (Of course, I could be mistaken.) DMR will still allow any changes to your system or files that can be done without admin privilege. It's definitely a help, but SB *is* in effect that VM you mentioned, but in a much lighter wrapping. I have three Fx shortcuts: to an admin-privilege, a DMR-privilege, and a Sandboxed one. Pretty much use SB exclusively these days.

    Note that older versions are available from the developer's page (nice touch -- wish everyone did that). Go to 3w.sandboxie com/index dot php?OldVersions and try 3.02. Cheers!

  12. #12 Rava says:

    Once again a huge IT company (just like Microsucks, sorry for the lame pun, but you know it's true) shows their unwillingness and inability to give secure software to the users and it's again one of the small next door hackers like Giorgio Maone aka NoScript that gives the even free solution.
    Seems when only gaining money and the business chart is important, the danger and possible risk for thousands or millions of users won't really be a matter.
    Shame on Adobe, Microsuck and all these perverted companies risking user's data security to make more dirty bucks.

  13. #13 Robert says:

    I hate to sound like a sponsor of Adobe but I just can't see the comparison between them and MS. I don't know how long these vulnerabilities have been with Flash and Acrobat but I do know that Adobe was quick to point it out in relationship to MS. Let's face it MS refuses to make a decent browser, causing programmers to hack their work just to get their sites to run on EX 6 and 7 and now I hear 8 isn't much better. At least Adobe puts out products that work and yes they have bugs but at least there is a place to report them and track the status. So to say that Adobe would intentionally distribute software that would compromise your data is going a little too far. Yes Adobe and other IT companies are in the business to make money but some do try harder than most to make a reliable product.

Bad Behavior has blocked 729 access attempts in the last 7 days.