Daily cyber threats and internet security news: network security, online safety and latest security alerts
June 5th, 2010

Critical Flash Player, Acrobat, Reader Vulnerability Exploited In The Wild

Adobe warns users that an unpatched vulnerability affecting Flash Player, Reader and Acrobat is actively being exploited in the wild. The critical flaw allows attackers to remotely execute arbitrary code.

The vulnerability affects the latest stable releases of Flash Player 10.0.x and 9.0.x, as well as any older versions, for all supported operating systems – Windows, Mac and UNIX. The company notes that the latest release candidate for the upcoming Flash Player 10.1 is not affected and advises users to upgrade to it:

Affected Versions

– Adobe Flash Player, 9.0.262, and earlier 10.0.x and 9.0.x versions for Windows, Macintosh, Linux and Solaris
– Adobe Reader and Acrobat 9.3.2 and earlier 9.x versions for Windows, Macintosh and UNIX

Not Vulnerable

– Flash Player 10.1 Release Candidate
– Adobe Reader and Acrobat 8.x

The bug also affects the latest versions of Adobe Reader and Acrobat through the authplay.dll library included in these products. This component is used to play SWFs embedded in PDF documents and has been affected by a similar vulnerability in July last year. Adobe proposes that this file be renamed, deleted or denied access to, until a fix becomes available.

“This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat,” is announced in Adobe’s Security Advisory on the issue. “Adobe Reader and Acrobat 8.x are confirmed not vulnerable,” the company also informs.

Adobe products have been plagued by many zero-day remote code execution vulnerabilities in recent years, which earned the company a bad image with security-conscious users. To make it easier for system administrators in large companies to deploy security updates, in June last year Adobe introduced a quarterly patching cycle aligned with Microsoft’s Patch Tuesday. However, because of critical bugs discovered in the wild, the company was forced to release out-of-band updates two times already, and it looks like this latest vulnerability might call for a third one.

Credit: News

Share this item with others:

More on CyberInsecure:
  • Confirmed Zero-day Flash Vulnerability In Latest Adobe Reader And Acrobat 9.1.2, Adobe Flash Player 9 And 10
  • Buffer Overflow Critical Vulnerabilities In Adobe Reader And Acrobat
  • F-Secure Says Users Should Stop Using Adobe Acrobat Reader
  • Adobe Patches Older Reader PDF Flaw, In Total 8 Vulnerabilities Patched
  • Critical Adobe Reader Vulnerability Under Attack, Allows Complete Control Of User’s Computer

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Critical Flash Player, Acrobat, Reader Vulnerability Exploited In The Wild

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.