Adobe's Security Advisory APSA09-03 begins:
A critical vulnerability exists in the current versions of Flash Player (v18.104.22.168 and v10.0.22.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2009-1862) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows.
For more information about this vulnerability, see US-CERT Technical Cyber Security Alert TA09-204A.
According to Adobe's own Flash Player Statistics page, this means that 99% of us (where "us" is people who use the Internet) are vulnerable right now. Some may dispute this number, and I'm suspicious of it myself, but there's no disputing the fact that many, many people -- surely a significant majority of regular Web surfers -- are at risk.
Exploits are already in use for the Reader version of this vulnerability. Chances are very good that you are affected by this vulnerability, too -- though, like me, some of my readers may actually be immune to this vulnerability on their primary workstations. There are options to help protect yourself, though. The single most effective way to protect yourself is to simply uninstall your browser's Flash plugin and Adobe Reader on your machine.
That may seem drastic, but I think it is time to make a point most people simply do not want to confront: that sometimes, security means just saying "no" to unsecured software. There are ways to work around some of the "need" for these pieces of Adobe software anyway:
- If your primary Flash "need" is YouTube, there are some alternative options. For instance:
- You could download YouTube videos with youtube-dl
- There is also the option of using a Firefox extension such as DownloadHelper to grab Flash video content from the Web. If you run into problems with some low-quality Flash videos from YouTube whose audio and video do not sync up properly, MPlayer supports framerate adjustment for crappy Flash video.
- Once you have downloaded Flash videos, you can watch them using a locally installed media player that is capable of supporting the format, such as MPlayer. You would just need to ensure that the correct codecs are available for watching Flash video.
- If you actually need to be able to visit sites that require Flash for navigation or present their content through Flash -- a definite no-no of accessible Web design and search engine optimization, but many companies do it anyway -- there are alternatives to the official Adobe Flash player:
- Gnash is an open source GNU project Flash player that runs in (almost?) any X Window System environment, and supports the majority of Flash sites on the Web.
- Swfdec is the freedesktop.org project's answer to Gnash.
One sometimes works better for a particular operating system configuration than another, and the two of them have achieved substantial parity with the Adobe Flash player, but both have some shortcomings when it comes to supporting the full range of Flash objects on the Web.
If you absolutely must have the stronger support of the Adobe Flash plugin, you can at least mitigate the danger somewhat by picking and choosing which Flash objects to view:
- Flashblock is a Firefox extension that masks each Flash object so that it will not actually load. Only by clicking on the mask will the Flash plugin be able to play the Flash object, thus leaving it up to you, the user, to decide which Flash objects to trust.
- For PDF viewing, alternatives to the Adobe Reader are numerous, and most of them perform much better than the Adobe Reader in practice, though some do not offer browser plugins:
- Xpdf is my current choice for (the majority of) my PDF viewing needs. This open source PDF reader can be installed on Unix and Unix-like operating systems such as various Linux distributions, BSD Unix systems, and Solaris, as well as DOS and MS Windows. If you are using an open source Unix or Unix-like system, check the software management system archives for your OS of choice; otherwise, see if there is a binary download available for your system on the Xpdf Website, or download the source and compile it yourself.
- OpenOffice.org is an open source office suite that can export PDFs, serving as a replacement for Adobe Acrobat as well as for Microsoft Office for people who do not need the more advanced features of Acrobat. With the addition of the Sun PDF Import Extension, you can import PDFs for reading and editing as well. This application is actually what I use to produce invoices, though I keep telling myself I'm going to switch to something else so I do not have to deal with the resource overhead of running an entire office suite just to gain the ability to generate PDFs.
- Ghostscript is a PostScript tool that has evolved to provide PDF support as well.
- Foxit Reader is a popular commercial software choice for MS Windows systems. There is a free download availalbe as well as an option to pay for it, depending on your needs.
- The GIMP is an open source alternative to Adobe Photoshop, and it can load PDFs by converting them to raster images for editing. It is available on a wide variety of platforms, and there is even a version that emulates Photoshop's interface called GIMPshop.
- Google Docs supports PDF viewing as well, displaying the contents of a PDF as HTML in the browser.
- Poppler is a PDF support library based on Xpdf code. The Poppler page at the freedesktop.org wiki offers a short list of some applications that make use of Poppler for PDF rendering.
- Wikipedia offers a list of PDF software as well, in case none of the above options appeal to you.
The reason my own setup is so well insulated against this danger is that I do not actually use any actual Adobe software on my primary Web browsing platform at all. If you happen to use FreeBSD, in fact, the top Google result when searching for
"youtube-dl" mplayer freebsd happens to be Flash Workarounds for FreeBSD — especially YouTube, a description of exactly the setup I use for dealing with Flash on the Web.
The key is to protect yourself, of course. If you can get by without having the Adobe tools for viewing Flash and PDFs at all, perhaps by using an alternative, that is the preferred option for security's sake. Otherwise, at least take measures to mitigate the danger, such as installing the Flashblock extension for Firefox and only using a seperate Adobe Reader desktop application so that you choose which files will be opened on your computer, instead of leaving it up to the browser to decide.
Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.