Saturday, 12 June 2010

Adobe Reader, Flash, Acrobat security issue - update / delete ASAP

There's been another critical security vulnerability with Flash (SWF) affecting Adobe products like Flash Player, Reader, Acrobat and possibly others like Photoshop and Fireworks, fo all types of computers whether running Windows, Mac or Linux.

It could enable bad hackers to take over your computer, and has been increasingly exploited since it was first announced last week, with malicious websites using it to make the computers of unsuspecting visitors download malware like trojans. See the US-CERT report and e.g. BBC report and TrendLabs.

Given the widespread use of Acrobat Flash (e.g. for YouTube and web animations) and PDF files, this sort of thing is serious - indeed, according to a Symantec internet security threat report published in April 2010, the bad guys are now targeting Acrobat Reader more than anything else these days: 49% of all web-based attacks made use of infected PDF files (next 3 were vulnerabilities with Windows and Internet Explorer).

How to protect your computer

Flash Player, Adobe AIR - Adobe have recently released a security update for these products. You ought to update them via auto-update or downloading Flash Player and (if you use AIR) downloading AIR.

Adobe Reader, Adobe Acrobat - there are instructions here with the fixes or workarounds for the main operating systems, Mac and Linux as well as Windows. Windows users need to delete or rename the Adobe authplay.dll files - one for Reader (which most people have), one for Acrobat (which only some people have).

Note however that doing that will result in a crash or error message when you open a PDF file containing Flash SWF content - which isn't that common, so it seems worth it. Hopefully when Adobe issue an update for these products it'll all be sorted.

If you're a Windows user, to save time you can click on the following links in order to open the appropriate folder fast, then find authplay.dll in it and delete or rename it (if those folders aren't used on your computer, try searching for the filename in Windows Explorer):

Note: if clicking these links doesn't work, such as where your system is set to open URLs in a browser other than Internet Explorer (e.g. I've previously blogged how to get Outlook links to open in Firefox instead of Internet Explorer), you'll have to copy and paste the link into the Internet Explorer address bar and then hit Go or Enter. Don't worry, those links only let you access your own local system, neither I nor anyone else can use them to mess with your computer!

No comments: