Adobe Flash Player Vulnerability Under Attack
In an advisory today, Adobe warned the vulnerability affects not only Flash Player, but Adobe Reader and Acrobat.
According to the company, the issue -- described as “critical” -- exists in Flash Player versions 10.2.153.1 and earlier (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) on Windows, Macintosh, Linux and Solaris, as well as Adobe Flash Player 10.2.156.12 and earlier versions for Android. The problem also exists in the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.
“This vulnerability (CVE-2011-0611) could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe noted in the advisory. “There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment, targeting the Windows platform.
“At this time, Adobe is not aware of any attacks via PDF targeting Adobe Reader and Acrobat,” the advisory continued. “Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.”
During the past year, Adobe vulnerabilities have been the frequent target of attacks. The bombardment by hackers prompted Adobe to build sandboxing technology into Adobe Reader X for Windows.
“While Adobe is currently not aware of any attacks via PDF files targeting Adobe Reader or Acrobat, we strongly recommend Windows users upgrade to Adobe Reader X with Protected Mode,” an Adobe spokesperson told CRN. “Adobe Reader Protected Mode represents an exciting advancement in mitigating the impact of attempted attacks. Even if exploitable security vulnerabilities are found by an attacker, Adobe Reader Protected Mode helps prevent the attacker from writing files or installing malware on potential victims’ computers.”
Since Adobe Reader X ‘Protected Mode’ sandboxing technology prevents the exploit from executing, a patch for Reader X for Windows is slated to be put off until the next quarterly Reader security update, June 14, according to the company. Adobe said it is still in the process of finalizing a schedule for delivering updates for Flash Player 10.2.x and earlier versions for Windows, Macintosh, Linux, Solaris and Android, Adobe Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.2) for Macintosh, and Adobe Reader 9.4.3 and earlier 9.x versions for Windows and Macintosh.