It was announced last week that a new vulnerability (CVE-2011-0609) was found in some of Adobe’s products. This is a dangerous scenario for many non savvy experts because sometimes they don’t even know that they have such applications installed on their machines. Many of them work as plugins in your browsers that allow you to watch videos or webpages.
Which applications are at risk?
The products at risk include Flash Player 10.2, Acrobat and Acrobat Reader X including versions for PC’s, Linux, Mac’s and even Android smart phones.
How do I know if I’m using these applications?
Adobe Reader – If you are using Adobe Reader you will see an icon on your desktop unless you have manually removed it. If it says “Adobe Reader X” then you are at risk. If it has any other number less than 10 you might not be at risk for this particular vulnerability, but at risk for others since you are using an obsolete version of the application. I’d suggest you wait until Monday and then upgrade to X.
Flash Player – There isn’t a clear way to know unless you are more experienced if you visit pages with Flash, but if I had to guess I’d say that yes, almost every person that navigates the web visits a few Flash-based pages every day. They include Flash Player Videos, games, etc. Once again, if you have older versions of Flash Player, wait until Monday and then upgrade.
Android devices – Only users with Android 2.2 and 2.3 are at risk. The reason is that versions earlier than 2.2 do not have Flash accessibility and version 3.0 released Flash recently and it is my understanding that it was patched before release. For a list of devices using Android 2.2 or 2.3 please click here.
How is it happening?
Most of the attacks are happening via email. People are receiving Microsoft Excel files (.xls) with a Flash embedded file (.swf) that contains the way in for the saboteurs. But that is not the only way. I’ve had users in the company I work for that forget to update Adobe Reader and later succumbed to malware infections. So don’t take this lightly.
When will this be resolved?
Adobe released their out of rotation patch this week (Monday 21st of March, 2011) .
What do I have to do?
One thing I will definitely give to Adobe is that they are pretty fast when they find vulnerabilities. Once they have deployed their patch, more than likely you will see a pop up on your system tray icons (lower right corner of your monitor where all the small icons are). It will say “updates available” and there will be an Adobe logo there. Click on it and install. If you don’t see it go to the following page and click on the buttons for Adobe Reader and Flash Player (one at a time of course). Reinstall them after you have read or given the green light to do so (meaning when you know the patch has been released). Keep an eye out while reinstalling that you are not opted in to download other software or toolbars that you don’t need.
Where do I get more information?
Stay tuned to this blog. We’ll be updating if anything else happens and we’ll update this post once the patch is out. Also you can visit Adobe’s website for additional security information.