Most Users Remain Vulnerable to Flash Exploits After Upgrading Flash Player

A large number of users, who regularly upgrade their Flash Player installations, remain exposed to Flash-based attacks, because the Flash plug-in bundled in Adobe Reader is not updated at the same time.

Since version 9.0, which was released a little over two years ago, in July 2008, Adobe Reader is capable of natively playing SWF (Shockwave Flash) files embedded in PDF documents.

This functionality is provided through a version of Flash Player bundled in Adobe Reader installations as a file called authplay.dll.

The immediate implication of this is that most, if not all, zero-day vulnerabilities discovered in Flash Player also affect Adobe Reader.

In fact, this has happened several times already and in at least one case rogue PDF documents with malicious SWF files embedded into them were used to infect users with malware.

But, according to Carsten Eiram, who works as chief security specialist at vulnerability research vendor Secunia, there's also another serious problem.

The researcher points out that authplay.dll is not patched during a standard Flash Player upgrade. Instead, this file only gets updated along with Adobe Reader.

However, while Flash Player patches are released at random, whenever they are necessary, Adobe Reader updates ship according to a quarterly schedule.

This means that, for example, the multiple remote code execution vulnerabilities addressed by the newly released Flash Player 10.1.82.76 and 9.0.280 are still exploitable via the latest version of Adobe Reader (9.3.3), which contains authplay.dll (Flash Player) 10.1.53.64.

And since the advisories accompaning Flash Player releases also disclose vulnerabilities reported privately to Adobe by security researchers, this update discrepancy has even more security implications.

It means that hackers could theoretically reverse engineer changes in new Flash Player versions and create exploits for flaws that were previously unknown to them. Once this is done, they would have plenty of time to attack users via authplay.dll.

Just as an example, the next update cycle for Adobe Reader was scheduled for October 12th. Fortunately, the company will issue an out-of-band update next week, in order to address a vulnerability publicly disclosed at Black Hat in July.

"According to Adobe, this also includes an updated version of the bundled Flash Player, but one has to wonder how long we would have had to wait if they weren't forced to issue the out-of-band release," Mr. Eiram, writes on the Secunia blog.

You can follow the editor on Twitter @lconstantin