Accessibility

Security bulletin

Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat

Release date: March 14, 2011

Last updated: March 21, 2011

Vulnerability identifier: APSA11-01

CVE number: CVE-2011-0609

Platform: All Platforms

Summary

A critical vulnerability exists in Adobe Flash Player 10.2.152.33 and earlier versions (Adobe Flash Player 10.2.154.18 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris operating systems, Adobe Flash Player 10.1.106.16 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions of Reader and Acrobat for Windows and Macintosh operating systems.

This vulnerability (CVE-2011-0609) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment. At this time, Adobe is not aware of attacks targeting Adobe Reader and Acrobat. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.

Adobe recommends users of Adobe Flash Player 10.2.152.33 and earlier versions (Adobe Flash Player 10.2.154.18 and earlier versions for Chrome users) for Windows, Macintosh, Linux, and Solaris operating systems update to Adobe Flash Player 10.2.153.1 (Adobe Flash Player 10.2.154.25 for Chrome users). Adobe recommends users of Adobe Flash Player 10.1.106.16 and earlier versions for Android update to Adobe Flash Player 10.2.153.1. Adobe recommends users of Adobe AIR 2.5.1 and earlier versions for Windows, Macintosh and Linux update to Adobe AIR 2.6. For more information, please refer to Security Bulletin APSB11-05.

Adobe recommends users of Adobe Reader X (10.0.1) for Macintosh update to Adobe Reader X (10.0.2). For users of Adobe Reader 9.4.2 for Windows and Macintosh, Adobe has made available the update, Adobe Reader 9.4.3. Adobe recommends users of Adobe Acrobat X (10.0.1) for Windows and Macintosh update to Adobe Acrobat X (10.0.2). Adobe recommends users of Adobe Acrobat 9.4.2 for Windows and Macintosh update to Adobe Acrobat 9.4.3. Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011. For more information, please refer to Security Bulletin APSB11-06.

Affected software versions

  • Adobe Flash Player 10.2.152.33 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
  • Adobe Flash Player 10.2.154.18 and earlier for Chrome users
  • Adobe Flash Player 10.1.106.16 and earlier for Android
  • The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.

NOTE: Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by this issue.

Severity rating

Adobe categorizes this as a critical issue.

Revisions

March 21, 2011 - Updated with information on Security Bulletin APSB11-05 and Security Bulletin APSB11-06
March 18, 2011 - Updated with information on Flash Player for Android and Google Chrome
March 17, 2011 - Added Mitigations section
March 14, 2011 - Updated Chrome Flash Player version information (changed from 10.2.154.13 to 10.2.154.18)
March 14, 2011 - Bulletin released.