Adobe has reported on a critical vulnerability in Flash Player, Reader and Acrobat applications. It’s interesting since it affects the desktop Flash Player along with the Android one and even the one embedded in Chrome.
Adobe is working on a fix, but until then you should be careful when dealing with Flash files – there are reports of attacks using this vulnerability…
Here’s a list of the affected software:
- Adobe Flash Player 10.2.152.33 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
- Adobe Flash Player 10.2.154.18 and earlier for Chrome users
- Adobe Flash Player 10.1.106.16 and earlier for Android
- The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.
Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected.
The reported attacks that exploit the vulnerability happened through an Excel file with an embedded Flash file. So, no attacks on Android as of yet, or at least none that Adobe knows about.
An update will be pushed out next week that fixes the vulnerability in all but Adobe Reader X. Protected Mode of Reader X (which should be enabled by default) prevents the exploit of auto-running so Adobe feel they can wait to patch that up on 14 June, the date the next quarterly security update for Adobe Reader is scheduled for.