Security bulletin

Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat

Release date: April 11, 2011

Last updated: April 28, 2011

Vulnerability identifier: APSA11-02

CVE number: CVE-2011-0611

Platform: See "Affected software versions" section below for details

Summary

A critical vulnerability exists in Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 10.2.156.12 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.

This vulnerability (CVE-2011-0611) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that one of the vulnerabilities, CVE-2011-0611, is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat, as well as via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment targeting the Windows platform. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.

Adobe recommends users of Adobe Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier versions for Chrome users) for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.2.159.1 (Adobe Flash Player 10.2.154.27 for Chrome users). Adobe recommends users of Adobe Flash Player 10.2.156.12 and earlier versions for Android update to Adobe Flash Player 10.2.157.51. Adobe recommends users of Adobe AIR 2.6.19120 and earlier versions for Windows, Macintosh and Linux update to Adobe AIR 2.6.19140. For more information, see Security Bulletin APSB11-07.

Adobe recommends users of Adobe Reader X (10.0.2) for Macintosh update to Adobe Reader X (10.0.3). For users of Adobe Reader 9.4.3 for Windows and Macintosh, Adobe has made available the update, Adobe Reader 9.4.4. Adobe recommends users of Adobe Acrobat X (10.0.2) for Windows and Macintosh update to Adobe Acrobat X (10.0.3). Adobe recommends users of Adobe Acrobat 9.4.3 for Windows and Macintosh update to Adobe Acrobat 9.4.4. Because Adobe Reader X Protected Mode would prevent exploits of the type targeting CVE-2011-0611 from executing, we are currently planning to address these issues in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011. For more information, see Security Bulletin APSB11-08.

Affected software versions

Adobe Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems

Adobe Flash Player 10.2.154.25 and earlier for Chrome users

Adobe Flash Player 10.2.156.12 and earlier for Android

The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems

Adobe AIR 2.6.19120 and earlier versions for Windows, Macintosh and Linux

NOTE: Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by this issue.

Severity rating

Adobe categorizes this as a critical issue.

Acknowledgments

Adobe would like to thank Mila Parkour (http://contagiodump.blogspot.com) for working with Adobe on this issue to help protect our customers.

Revisions

April 28, 2011 - Updated with information on Adobe Flash Player for Android update.

April 21, 2011 - Updated with information on Adobe Reader and Acrobat updates.

April 15, 2011 - Updated with information on Flash Player updated.

April 14, 2011 - Updated with information on Google Chrome.

April 13, 2011 - Updated with schedule information.

April 11, 2011 - Bulletin released.