Adobe issues patches for zero-day flaws in Flash, Acrobat and Reader
Adobe has issued an out-of-band patch for the zero-day flaw in its Flash player.
As detailed by SC Magazine last week, the critical vulnerability was being exploited in the wild and involved a Flash (.swf) file, embedded in a Microsoft Excel (XLS) file, being delivered as an email attachment that could cause a crash and potentially allow an attacker to take control of the affected system.
The vulnerability (CVE-2011-0609) affected Flash Player 10.2.152.33 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, Flash Player 10.2.154.18 and earlier for Chrome users and Flash Player 10.1.106.16 and earlier for Android, AIR 2.5.1, Windows, Macintosh and Linux.
Adobe also issued a patch for its Reader and Acrobat products, with the same vulnerability being identified in the authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.
Adobe recommended users of Adobe Reader X (10.0.1) for Macintosh to update to Adobe Reader X (10.0.2), while users of Adobe Reader 9.4.2 for Windows and Macintosh should use Adobe Reader 9.4.3. Adobe recommends users of Adobe Acrobat X (10.0.1) for Windows and Macintosh to update to Adobe Acrobat X (10.0.2) and users of Adobe Acrobat 9.4.2 for Windows and Macintosh should update to Adobe Acrobat 9.4.3.
It concluded by saying that due to Adobe Reader X Protected Mode preventing an exploit of this kind from executing, it is planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, which is currently scheduled for 14th June 2011.