US DHS advises users to turn off Flash pending Adobe security fix
In the wake of reports that malicious users have found a way to trick Adobe Reader 9 into triggering an exploitable crash in Adobe Flash 9 and 10, the US Dept. of Homeland Security's CERT cybersecurity team is asking users and administrators everywhere to turn off Flash video in their Web browsers.
This prompted Adobe, which has recently been seeing perhaps the onset of a deluge of security issues, to update its security advisory, now rating the exploitable issue as "critical." Adobe is not advising users to take such drastic measures as disengaging Flash in their browsers (which would make it very hard to watch YouTube). What it's suggesting instead is that users manually delete the file %ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll, which is a library that Adobe Reader and Acrobat use to trigger embedded Flash and Shockwave videos.
Doing so might cause a crash when a user tries to launch a PDF document with an embedded video, though Adobe is indicating that this particular crash may not be an exploitable one.
The nature of Adobe's recommended workaround tells you almost everything you need to know about the exploit: It's another case where a maliciously crafted handoff between two interpreters triggers a crash in the one that's supposed to receive the proverbial baton. That crash leaves behind a situation where leftover code in the handoff can be executed without privilege.
It's a problem which may have existed for several days, though Adobe's security blog indicates the company had just gotten wind of the problem on Tuesday. What might have been holding the team up is another security problem, which Adobe currently rates as "moderate:" an active exploit of the Adobe Reader installer, where certain installation files may be replaced with malicious code. While the security team is already working on a fix for that problem, a fix for this newer "critical" issue may only be available by this time next Thursday.