Adobe Issues Update For Critical Flaws In Reader, Acrobat, Flash Player

The Department of Homeland Security/US-CERT warned users Thursday of critical bugs in Adobe Flash Player 10.2.153.1 and earlier for Windows, Mac, Linux and Solaris, version 10.2.154.25 and earlier for Chrome; version 10.2.156.12 and earlier for Android; Adobe AIR 2.6.19120 and earlier; Authplay.dll in Adobe Reader and Acrobat 9.x through 9.4.3 and 10.x through 10.0.2 on Windows and Mac OS X.

In addition, Adobe issued an advisory Thursday warning users of critical flaws in multiple versions of Reader and Acrobat X for Windows and Mac OS that leave the platforms susceptible to attack.

At least one of the vulnerabilities is being actively exploited in the wild against Flash Player, Adobe Reader and Acrobat, while an exploit has also been detected on a Flash file embedded in a Microsoft Word or Excel file and then delivered as an e-mail attachment targeting the Windows platform.

In an attack scenario, the exploit would cause a remote hacker to take complete control of an affected system, including accessing and stealing users' data, or crashing their machines. The attack could occur remotely, without requiring any user intervention.

There are some mitigating factors, however. Users who run Adobe Reader X Protected Mode would be protected from a malicious exploit. Subsequently Adobe said that it planned to wait to issue the next version of Adobe Reader X for Windows until the next quarterly update, slated for June 14.

In addition, Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by the vulnerabilities.

In its advisory, Adobe recommended that Reader X users update their systems to version 10.0.3 for Mac, and 9.4.4 for Windows and Mac. Adobe also advised that Acrobat X users upgrade to version 10.0.3 for Windows and Mac, and users of Acrobat 9.4.3 upgrade to version 9.4.4.

The updates can be found on the Adobe site.