navigation bar left navigation bar right

Secunia CSI7
navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Adobe Reader unsecure solution changing file name?

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Adobe Systems
And, this specific program:
Adobe Reader 9.x

This thread has been marked as locked.
jckinnick Adobe Reader unsecure solution changing file name?
Member 9th Jun, 2010 06:59
Ranking: 4
Posts: 152
User Since: 21st May, 2010
System Score: N/A
Location: N/A
It says one of the solutions to the Adobe Reader unsecurity is " Delete, rename, or remove access to authplay.dll to prevent running SWF content in PDF files".

The question i have is, if i change the name of the file will this screw up anything in Adobe Reader? And what is SWF content?

taffy078 RE: Adobe Reader unsecure solution changing file name?
Contributor 9th Jun, 2010 07:12
Score: 408
Posts: 1,352
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Last edited on 9th Jun, 2010 07:17
Hi.

I too am not happy with the thought of having to rename a file without knowing (a) is it easy & (b) what are the consequences if I get it wrong.

I'm glad you raised this. I pondered doing so in my post 18:13 yesterday in the Off Topic thread. There's a reply there from Anthony that might help us. I'm about to look into it.

PS Will Microsoft now be rushing out updates for this?

ADIT: Changed to reflect Anthony's advice in Off Topic.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+1
-0
jckinnick RE: Adobe Reader unsecure solution changing file name?
Member 9th Jun, 2010 08:54
Score: 4
Posts: 152
User Since: 21st May 2010
System Score: N/A
Location: N/A
Arent the dll files very important? I know that sometimes if you try to change a file name it will warn you that it might not be usable anymore.
Was this reply relevant?
+0
-0
TiMow RE: Adobe Reader unsecure solution changing file name?
Dedicated Contributor 9th Jun, 2010 13:34
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Last edited on 9th Jun, 2010 13:39
Both Adobe and Secunia recommend the changing (renaming) of "authplay.dll".

See:

http://www.adobe.com/support/security/advisories/a...

and:

http://secunia.com/advisories/40034/

I wouldn't worry too much about how this effects the workings of Reader; more, what might happen if you don't do the change. I recommend sooner, rather than later - this vulnerability is being actively exploited.

Although I don't have Adobe Reader installed (I use Foxit), I would try to offer guidance on how to affect this change, if required.

Remember, it's not permanent or final, but just a workaround for the present situation.

Copied from your other thread (for the benefit of others):

If there is any term of which you are unsure, then type "define: xxxxx" (where xxxxx is the term you need explaining), into your browsers search box. Alternatively Wikipedia is always a good source of reference, or try this link:

http://www.cryer.co.uk/glossary/a/index.htm

TiMow

EDIT: As the vulnerabilities of both Reader and Flash are connected, I believe, in this instance, that SWF refers to ShockWave Flash (i.e. flash player).


--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+1
-0
ddmarshall RE: Adobe Reader unsecure solution changing file name?
Dedicated Contributor 9th Jun, 2010 14:25
Score: 1218
Posts: 971
User Since: 8th Nov 2008
System Score: 98%
Location: UK
The authplay.dll file is a copy of the Flash Player 10.0 embedded in Adobe Reader. This allows Flash content (SWF) to be included in a PDF. If you delete or rename authplay, Adobe Reader will give an error message or crash when you open a PDF with Flash content in it.

Adobe are promising an update on June 29. If you are unhappy about modifying Adobe Reader, be careful about opening PDFs from unknown sources and change preferences to stop PDFs opening automatically in browsers. In any case, antivirus software may stop the vulnerability being exploited. Browsing as a standard user rather than an administrator usually helps too.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+0
-0
jckinnick RE: Adobe Reader unsecure solution changing file name?
Member 10th Jun, 2010 07:55
Score: 4
Posts: 152
User Since: 21st May 2010
System Score: N/A
Location: N/A
Last edited on 10th Jun, 2010 08:01
I did a search on my computer for that particular file and i have two of them on my computer one is Adobe Reader and the other is in Documents/Settings/Owner/Recent.

The file description said 10.0.45 which i though i uninstalled when used the uninstall adobe file and installed 10.1.53 maybe thats why IE's Adobe Flash is still saying unsecure?

Should i change both of them? Is just changing one letter enough or do i need to make it unfindable for anybody else.


Was this reply relevant?
+0
-0
jckinnick RE: Adobe Reader unsecure solution changing file name?
Member 10th Jun, 2010 08:24
Score: 4
Posts: 152
User Since: 21st May 2010
System Score: N/A
Location: N/A
I changed the one file did a PSI scan and its still showing Adobe Reader as unsecure for two browsers.
Was this reply relevant?
+0
-0
TiMow RE: Adobe Reader unsecure solution changing file name?
Dedicated Contributor 10th Jun, 2010 08:51
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
The reason that flash shows as the older version, is because it is embedded within Reader, and any updating of flash won't effect this version - it will always be 10.0.45 - hence the current insecurity.

By renaming the authplay.dll you have done all you can to guard against this vulnerability (bear in mind the info. from @ddmarshall, above), as recommended by Adobe and Secunia.

As this is only a workaround, PSI doesn't recognise this as a full solution, and will continue to flag Reader as Insecure.

As soon as you change the name of the file, the program should no longer recognise it, and therefore not use it. What is important, is that it is obvious to you, as you may need to come back in the future to undo the renaming - you should record details somewhere of location and your action.
Standard renaming is to add "_old" at the end (after .dll) - then it is clear later.

As previously stated, I don't have Reader and can't directly relate to these files, but you should at least rename the one in the Adobe Reader program, and possibly both - I can't say for certain, as Docs and Sets normally contain your personal details in relation to that program. Maybe someone else will be able to provide more info.

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+0
-0
ddmarshall RE: Adobe Reader unsecure solution changing file name?
Dedicated Contributor 10th Jun, 2010 12:36
Score: 1218
Posts: 971
User Since: 8th Nov 2008
System Score: 98%
Location: UK
Last edited on 10th Jun, 2010 13:30
I think that what you are seeing in Documents and Settings is just a link in your recent items list. Try clearing Recent Items and see if it disappears.

I've just noticed that US-CERT recommends disabling rt3d.dll as well. There is no mention of this in the Adobe security bulletin.

http://www.us-cert.gov/cas/techalerts/TA10-159A.ht...

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+0
-0
jckinnick RE: Adobe Reader unsecure solution changing file name?
Member 11th Jun, 2010 11:57
Score: 4
Posts: 152
User Since: 21st May 2010
System Score: N/A
Location: N/A
I just saw that then official new Adobe Flash Player has been released. What about my other question does it download to all browsers used or do you have to download it in each browser?
Was this reply relevant?
+0
-0
Maurice Joyce RE: Adobe Reader unsecure solution changing file name?
Handling Contributor 11th Jun, 2010 12:10
Score: 11865
Posts: 9,101
User Since: 4th Jan 2009
System Score: N/A
Location: UK
This will solve your Flash Player issue.

UPDATING ADOBE FLASH
====================
Works with Windows XP,Vista & Windows 7 - 32 & 64 Bit systems.

To successfully install Adobe Flash go here:
http://www.filehippo.com/download_flashplayer_ie/

& then here if U have any Gecko based browsers.

http://www.filehippo.com/download_flashplayer_fire...

The latest RC version is:10.1.53.64 RC7 - This version is very stable monitored by Secunia & currently the only one that appears secure

1. Select the Flash version U require & download it.
2. The installer will appear on the desk top. Before agreeing to install close:
a. All Browsers.
b. PSI
c. Windows Messenger.

3. The new install will then remove all old files during the update process.
4. Complete a PSI rescan.

POSSIBLE PROBLEMS.
++++++++++++++++++

If U failed to complete 2. above U may well find PSI still shows a vulnerability on the rescan.

SOLUTION

1. Double check your browser(s),PSI & Messenger are closed.
2. Navigate to:
32 Bit Systems - C:\Windows\system32\Macromedia\Flash
64 Bit Systems - C:\Windows\sysWOW64\Macromedia\Flash

In these locations U may well find these entries:
FLASH10D or E.OCX - Right click & delete it.
FLASH10H.OCX - The latest version which should be retained.


--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+3
-0
TiMow RE: Adobe Reader unsecure solution changing file name?
Dedicated Contributor 11th Jun, 2010 12:51
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
Thanks Maurice, although I had included the following in his other thread re. Flash, so it should have been clear:

Quote:
"Flash is used by your browsers for graphics, videos, games etc.

IE uses Flash (ActiveX) - PSI require this version for the display of it's graphics (pie chart and bars).

Other browsers need Flash (NPAPI).

When you install/update Flash you normally need to do this twice - once using IE for ActiveX, and once using another browser for NPAPI.

This is why you see both entries under Patched - this normal."

Unqoute.

@jckinnick - the above info was included int he following thread (so this did answer your Q):

http://secunia.com/community/forum/thread/show/444...

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+2
-0
taffy078 RE: Adobe Reader unsecure solution changing file name?
Contributor 11th Jun, 2010 14:06
Score: 408
Posts: 1,352
User Since: 26th Feb 2009
System Score: 100%
Location: UK
sorry jckinnick for posting about Flash in this thread.

But I followed the instructions above, downloaded the latest version of Flash from filehippo & scanned again. This showed two insecure zombie files in my E:drive so I ran the uninstaller shown in the "extra information" box. That removed both the latest Flash & one of the zombies. I ran the uninstaller again & scanned again. One zombie is still there - v10.0.45.2 (ActiveX) in E:\WINDOWS\system32\Macromed\Flash\Flash10e.ocx

So I followed your manual removal process, Maurice. This brought up two messages
(1) "This is a read-only file - are you sure" = Yes - proceed then
(2) "Cannot delete 10e.ocx. Access is denied. Make sure that the disk is not full or write-protected & that the file is not currently in use."
Messenger IE & Secunia were all closed before I tried the auto & manual uninstalls.

Can I safely create an Ignore rule please, Maurice?

Added:
PS From another post, you'll know that I am about to creat an"ignorie rule" for my E: drive so this insecure message will no longer appear.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0
Maurice Joyce RE: Adobe Reader unsecure solution changing file name?
Handling Contributor 11th Jun, 2010 14:13
Score: 11865
Posts: 9,101
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 11th Jun, 2010 14:18
If U only use your E drive for backup then it is OK. If U have created a Global ignore rule as per the other thread it should not be showing after a full PSI scan.

This rule also applies to any HARD drive that is not C & used solely for backup & folder i386 which is not exposed.

Access will be denied if the file is in use hence COMPLETELY close ALL browsers,PSI & Microsoft Messenger.

The Adobe uninstaller cannot see the E drive hence no success there. It, like so many others only looks at the default drive (C).

Sorry about the edits!

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0
taffy078 RE: Adobe Reader unsecure solution changing file name?
Contributor 11th Jun, 2010 15:12
Score: 408
Posts: 1,352
User Since: 26th Feb 2009
System Score: 100%
Location: UK
cheers Maurice

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+1
-1
jckinnick RE: Adobe Reader unsecure solution changing file name?
Member 12th Jun, 2010 10:04
Score: 4
Posts: 152
User Since: 21st May 2010
System Score: N/A
Location: N/A
What about changing that file name do we need to keep it changed or can we change it back to the original name?
Was this reply relevant?
+0
-0
TiMow RE: Adobe Reader unsecure solution changing file name?
Dedicated Contributor 12th Jun, 2010 11:58
Score: 737
Posts: 728
User Since: 26th Jun 2009
System Score: N/A
Location: CH
As Adobe are reporting that a patch/update will not be available until 29 Jun. to fix this issue, then, if you've already changed the file name, you should leave it until you update, at that time.

Only then should you change back to the original, at the time of (but just before) the installation of the update , to avoid any problems with this patch installation.

TiMow

--
Computing is not yet a perfect science - it still requires humans.
Was this reply relevant?
+0
-0
This user no longer exists RE: Adobe Reader unsecure solution changing file name?
Member 14th Jun, 2010 23:53
Hi. I have no idea whether I am browsing as a 'standard user' or as an 'administrator'. How can I tell the difference, and how do I change from one to the other? Thank you very much.
Was this reply relevant?
+0
-0
This user no longer exists RE: Adobe Reader unsecure solution changing file name?
Member 15th Jun, 2010 00:15
Hi. Adobe flash player is listed in my control panel, though no size is shown. I went to C:\windows \system 32, but did not find Macromedia Flash. It said Files are Hidden, but I looked through them and did not find anything that said FLASH. I guess Flash player is not installed on my computer.

I have another question that is off topic: Can anyone tell me why half the entries in c:\windows are listed in blue ink and half in black ink? There seems to be getting more and more blue ink all the time.

Thank you very much.
Was this reply relevant?
+0
-0
Maurice Joyce RE: Adobe Reader unsecure solution changing file name?
Handling Contributor 15th Jun, 2010 00:32
Score: 11865
Posts: 9,101
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 15th Jun, 2010 00:33
@Jitterbug
I would suggest U create your own thread with the two issues U have.

One vital piece of information missing is which OS & SP are U using.

It looks like U are running a 32 bit system but it would also be helpful to confirm that.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0
This user no longer exists RE: Adobe Reader unsecure solution changing file name?
Member 15th Jun, 2010 01:16
Hello Maurice:

How do I determine my OS (operating system?) and SP (?). And how do I start my own threat?

Thank you. jitterbug.
Was this reply relevant?
+0
-0
This user no longer exists RE: Adobe Reader unsecure solution changing file name?
Member 15th Jun, 2010 01:17
I fixed this problem by uninstalling flash layer and installing foxit reader. jitterbug.
Was this reply relevant?
+0
-0
Maurice Joyce RE: Adobe Reader unsecure solution changing file name?
Handling Contributor 15th Jun, 2010 01:35
Score: 11865
Posts: 9,101
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 15th Jun, 2010 01:36
To view your system details go to Control Panel>system


To create a thread of you own look to the left & U will see a box marked Forum.

Within that box near the bottom is a blue link marked Create Thread - click that & follow the instructions

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+5
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+