Adobe To Fix Flash Player Bug Thursday
The impending Reader and Acrobat update, scheduled for June 29, was previously slated for July 13 as part of the company's comprehensive quarterly patch, which executives said would resolve a slew of "responsibly disclosed vulnerabilities."
Adobe's Brad Arkin said in a company blog post that the company considered a rushed patch for Reader and Acrobat along with Flash Player, but instead decided to incorporate those fixes into the quarterly patch, which was accelerated to June 29. Arkin said that two major patch releases within a period of a few weeks would have created challenges for most Adobe customers.
"Among other options, we also considered the alternative of releasing a one-off zero-day fix followed a couple of weeks later by the July 13 quarterly update. However, two patches within three weeks would have incurred too much churn and patch management overhead on our users, in particular for customer with large managed environments," Arkin said.
Security experts contend that the Flash Player bug should be a top priority due to the fact that it can be used in attacks known as drive-by downloads, in which users can inadvertently download malware simply by visiting a malicious site that hosts infected media content.
Adobe confirmed the security bug in Flash, Reader and Acrobat on Friday. Thus far, the vulnerability is being actively exploited by hackers in order to distribute malware attacks onto users' computers via infected PDF files. Exploit code has already been made public on the Internet. And Symantec said that it had seen limited attacks taking advantage of the Flash Player vulnerability.
In other attack scenarios targeting Reader or Acrobat, a hacker could entice a user into opening an infected PDF file, which Symantec researchers dubbed "Trojan.Pidief.J." Users would immediately download malware once they opened the malicious file, which could enable hackers to crash or take complete control of their computer remotely.
Until the Adobe patches are released later this month, Adobe recommends that users deploy a workaround by deleting, renaming or removing access to the autoplay.dll file, which ships with Adobe Readers and Acrobat 9.x.
Also, Adobe said that it plans to launch new installers, and will make some changes to the latest version of Adobe Reader for the most popular language/platform pairs offered on the Adobe Download Center, but Arkin said that the company had yet to schedule a release date.