Yesterday was sort of a busy day for Adobe security. Of course, that doesn’t seem like such an uncommon occurrence these days. Adobe issued an update to address a security flaw in Flash, and followed up with a new security advisory about a vulnerability impacting Adobe Reader.
The Adobe security bulletin for the Flash vulnerability provides details about the issue. “Critical vulnerabilities have been identified in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player 10.1.95.1 for Android. These vulnerabilities, including CVE-2010-3654 referenced in Security Advisory APSA10-05, could cause the application to crash and could potentially allow an attacker to take control of the affected system.”
Adobe also published a blog post describing a potential security threat affecting Adobe Reader. “Adobe is aware of a potential issue in Adobe Reader posted publicly today on the Full Disclosure list. A proof-of-concept file demonstrating a Denial of Service was published. Arbitrary code execution has not been demonstrated, but may be possible. We are currently investigating this issue.”
Adobe stresses that the issue does not affect Adobe Acrobat, and that it is not currently aware of any attacks exploiting the Adobe Reader issue. Still, pending an actual patch or update, Adobe provides guidance to use the JavaScript Blacklist Framework to protect vulnerable systems.
The JavaScript Blacklist Framework is a mechanism for blocking vulnerable APIs rather than disabling JavaScript altogether. The blacklist is maintained in the Windows registry and the Macintosh OS X FeatureLockdown file. The Adobe blog post about the Reader issue includes step by step instructions to use the framework.