A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat.
So says Adobe's Security Advisory for Flash Player, Adobe Reader and Acrobat. There's a Flash Player 10.1 Release Candidate available that Adobe says “is confirmed not vulnerable”.
This is the advice (for Windows) Adobe Reader and Acrobat:
Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader 9.x and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.
The authplay.dll that ships with Adobe Reader 9.x and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.
The real fix is some ways away:
We expect to provide an update for Adobe Reader and Acrobat 9.3.2 for Windows, Macintosh and UNIX by June 29, 2010.
Then again, I can't recall if I've ever gone to a legitimate .pdf file that had SFW content embedded in it, so I guess I wouldn't miss it.
How many people are sending you legitimate pdfs with NSFW content? 😉 (Yes, I know that SFW means a different thing in this context, but still, it made me smile.)
You could replace 90% of the PDFs I view with ascii text files, and I’d be delighted by the faster loading time. The other 10% you could replace with JPEGs.