A large number of users, who regularly upgrade their Flash Player installations, remain exposed to Flash-based attacks, because the Flash plug-in bundled in Adobe Reader is not updated at the same time.
Since version 9.0, which was released a little over two years ago, in July 2008, Adobe Reader is capable of natively playing SWF (Shockwave Flash) files embedded in PDF documents.
This functionality is provided through a version of Flash Player bundled in Adobe Reader installations as a file called authplay.dll.
The immediate implication of this is that most, if not all, zero-day vulnerabilities discovered in Flash Player also affect Adobe Reader.
In fact, this has happened several times already and in at least one case rogue PDF documents with malicious SWF files embedded into them were used to infect users with malware.
But, according to Carsten Eiram, who works as chief security specialist at vulnerability research vendor Secunia, there's also another serious problem.
The researcher points out that authplay.dll is not patched during a standard Flash Player upgrade. Instead, this file only gets updated along with Adobe Reader.
However, while Flash Player patches are released at random, whenever they are necessary, Adobe Reader updates ship according to a quarterly schedule.
This means that, for example, the multiple remote code execution vulnerabilities addressed by the newly released Flash Player 10.1.82.76 and 9.0.280 are still exploitable via the latest version of Adobe Reader (9.3.3), which contains authplay.dll (Flash Player) 10.1.53.64.
And since the advisories accompaning Flash Player releases also disclose vulnerabilities reported privately to Adobe by security researchers, this update discrepancy has even more security implications.
It means that hackers could theoretically reverse engineer changes in new Flash Player versions and create exploits for flaws that were previously unknown to them. Once this is done, they would have plenty of time to attack users via authplay.dll.
Fortunately, the company will issue an out-of-band update next week, in order to address a vulnerability publicly disclosed at Black Hat in July.
"According to Adobe, this also includes an updated version of the bundled Flash Player, but one has to wonder how long we would have had to wait if they weren't forced to issue the out-of-band release," Mr. Eiram, writes on the Secunia blog.
The best way to protect yourself from vulnerabilities in Adobe products, is not to use Adobe's products. =)
However, in the business world, that just isn't an option in some cases.
In that case, I would suggest you read and review the security settings recommended by AVG.
If you want to take it even further, you can do what US-CERT suggested in VU#660993.
Flash and 3D & Multimedia support are implemented as plug-in libraries in Adobe Reader. Disabling Flash in Adobe Reader will only mitigate attacks that use an SWF embedded in a PDF file. Disabling 3D & Multimedia support does not directly address the vulnerability, but it does provide additional mitigation and results not in a crash but in a more user-friendly error message.
Disabling these plug-ins will reduce functionality and will not protect against SWF files hosted on websites [because those are executed by the Flash Player in your browser]. Depending on the update schedule for products other than Flash Player, consider leaving Flash and 3D & Multimedia support disabled unless they are absolutely required.