14 Sep, 2010
Adobe warns that a critical and previously undisclosed vulnerability in Flash Player is actively being exploited in the wild to compromise computers.
“A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android.
“This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh,” the company writes in a newly published security advisory.
Exploiting the vulnerability can lead to a crash, which allows an attack to execute arbitrary code to compromise the system. Worse yet, the flaw was reported as a zero-day, Adobe learning about it from in-the-wild exploits.
The company is currently working on a patch and plans to release it two weeks from now, around September 27.
However, the window of exploitability will actually be longer, because this flaw also affects the Flash Player plug-in embedded into Adobe Reader.
The authplay.dll file, which enables SWF playback inside PDF, only gets updated during an Adobe Reader upgrade and the next one is scheduled for the week of October 4.
Therefore, attackers will be able to target this new zero-day bug, which is identified as CVE-2010-2884, for one week after Flash Player will be patched, by tricking users into opening rogue PDF documents with malicious SWF content embedded.
There is currently no mitigation available, but Adobe is working closely with the security industry to make detection for this exploit widely available.
As always, users are strongly advised to run a capable and up-to-date antivirus product on their computer systems at all times.
In related news, the Adobe Reader update scheduled for the beginning of next month will also address a separate PDF zero-day vulnerability that has been exploited for over a week already.