In an out of cycle update, Adobe has shipped updates for its Flash player to address a zero-day vulnerability. It also issued updates for older versions of Adobe Reader and Adobe Acrobat to address a critical vulnerability that could cause host system crashes and give control to attackers.
Adobe clarified that it’s aware of attacks against Flash Player in the wild that exploited this vulnerability through a Flash (.swf) file embedded in a Microsoft Excel (.xls) file sent as email attachments. It stated that Adobe Reader and Adobe Acrobat have not been targeted so far.
According to Adobe, Adobe Reader X’s Protected Mode mitigations prevent execution of such an exploit. The critical vulnerability in Adobe Reader and Acrobat X exist in the ‘authplay.dll’ component that ship with the software. Vulnerabilities in all three products could potentially result in system crashes through memory corruption and arbitrary code execution. This can give an attacker control of the affected system.
The vulnerabilities have been reported in Reader and Acrobat v10.0.1. Versions of Flash Player (prior to and including v10.2.152.33) as well as parallel releases on other platforms. Adobe categorizes these as critical updates, and recommends that affected users update their installations to the newest versions. The vulnerabilities can be resolved by updating to the latest version of Flash Player (v10.2.153.1) and parallel releases for other platforms. Adobe recommends v10.0.2 for Reader and Acrobat v10.0.1. Reader and Acrobat v9.4.2 should be updated to v 9.4.3.
Since Reader X’s sandbox technology prevents execution of this exploit, the issue is slated to be addressed in the next quarterly update for Reader, scheduled for July 14, 2011. Reader 9.x for Unix and Android as well as Acrobat and Reader 8.x are not affected by this vulnerability.
More information regarding these vulnerabilities can be found on Adobe’s Website.