Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: CVE-2010-3654 - New dangerous 0-day authplay library adobe products vulnerability SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
CVE-2010-3654 - New dangerous 0-day authplay library adobe products vulnerability

Adobe released today APSA10-05 advisory, which shows a 0-day vulnerability that can be exploited remotely for Adobe Flash Player, Adobe Reader and Acrobat. Adobe says the update will exist hopefully by the Nov 15 week.

The following are the mitigation measures recommended by adobe:

Adobe Reader and Acrobat 9.x - Windows
Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains Flash (SWF) content.

The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:Program FilesAdobeReader 9.0Readerauthplay.dll for Adobe Reader or C:Program FilesAdobeAcrobat 9.0Acrobatauthplay.dll for Acrobat.

Adobe Reader 9.x - Macintosh
1) Go to the Applications->Adobe Reader 9 folder.
2) Right Click on Adobe Reader.
3) Select Show Package Contents.
4) Go to the Contents->Frameworks folder.
5) Delete or move the AuthPlayLib.bundle file.

Acrobat Pro 9.x - Macintosh
1) Go to the Applications->Adobe Acrobat 9 Pro folder.
2) Right Click on Adobe Acrobat Pro.
3) Select Show Package Contents.
4) Go to the Contents->Frameworks folder.
5) Delete or move the AuthPlayLib.bundle file.

Adobe Reader 9.x - UNIX
1) Go to installation location of Reader (typically a folder named Adobe).
2) Within it browse to Reader9/Reader/intellinux/lib/ (for Linux) or Reader9/Reader/intelsolaris/lib/ (for Solaris).
3) Remove the library named "libauthplay.so.0.0.0."

More information at http://contagiodump.blogspot.com/2010/10/potential-new-adobe-flash-player-zero.html

-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

186 Posts
ISC Handler
The correct CVE identifier for this issue is CVE-2010-3654 (additionally, the format of CVE's is CVE-2010-xxxx, i.e. the hyphen before 2010). Diary's keyword entry needs also updating.
Juha-Matti

5 Posts
So, what's the reality on this vulnerability.
Flash Player gets mention as being vulnerable, but all the attention is on Acrobat Reader. Is it because the AuthPlay.dll library calls Flash Player functions in some insecure manner, or do we actually have to remove Flash Player and nobody's bothered mentioning that necessity?
Juha-Matti
57 Posts
My 2 cents:

* Both Adobe Reader and Flash are vulnerable. Adobe Reader has an embedded Flash engine so that Flash content can be embedded in PDF files. Reader does not call Flash - the embedded Flash engine in Reader is independent of the Flash plugin for the browser.
* Based on the Adobe bulletin, Adobe is aware of current exploits in the wild against Reader through the PDF vector. Adobe isn't aware of exploits against Flash, although the absence of evidence is not evidence of absence!
* It is relatively easy to defend against the PDF vector by disabling access to authplay.dll (safest, IMHO, is to deny Everyone full control on the file, but keep in mind that reversing this can require taking ownership of the file because only the owner can modify perms on a file to which everyone is blocked). This also prevents the use of Flash in PDF files, but that isn't that widely used.
* Defending against the Flash vector requires uninstalling Flash, which would break a number of websites.

One other note. Adobe also released a security update for Shockwave today, so get that packaged and rolling out!
Anonymous
Does anyone know if Microsoft EMET mitigates/prevents this vulnerability from being exploited if the corresponding Adobe .exe file is being protected by EMET?
Anonymous

Sign Up for Free or Log In to start participating in the conversation!