Adobe Flash, PDF at Zero-Day Vulnerability Risk Again
Adobe warns of serious security flaws in flash and PDF that could be leaving millions of users open to attack.
Adobe Flash users need to exercise extra caution this week as the technology is at risk from an unpatched zero-day flaw, according to Adobe (NASDAQ: ADBE).
The company issued an advisory about the latest vulnerability in its Flash Player technology late Friday, warning that a flaw could be exploited to trigger a crash that, in turn, could leave an attacker in control of a victims Windows, Mac or Linux PC.
Adobe said in its advisory that it is aware of the vulnerabilities already being exploited in the wild.
The flaw exists in the latest Adobe Flash Player 10.0.45.2 release. It also impacts Adobes Reader and Acrobat PDF applications, since Reader and Acrobat include the authplay.dll, which enables Flash SWF files to be launched from a PDF file. As a result, Adobe Reader and Acrobat 9.3.2 are at risk, as are earlier 9.x versions. Adobe Reader and Acrobat version 8.x releases, however, are not vulnerable to the same flaw.
As a way to mitigate the danger, Adobe is advising Reader and Acrobat users to either delete or rename the the authplay.dll file from their installations. Adobe also warned that once this is done, users will still be at risk from an application crash that could occur when they attempt to open a .PDF with Flash content. However, that crash will no longer be exploitable through the security vulnerability, it said.
An upcoming release of Adobe Flash Player, version 10.1, may remove the threat permanently, since Adobe said it is not vulnerable to the same flaw. That makes upgrading to the publicly available 10.1 Release Candidate another alternative for security-conscious Flash users.
Adobe has not yet said when it plans to issue a patch for the vulnerability, nor when Flash Player 10.1 will become generally available.
This isn't the first time that a flaw in Adobe Flash also affected Reader and Acrobat. A similar authplay.dll security vulnerability surfaced in 2009 and was later fixed by Adobe.