Adobe fixes a critical vulnerability in Flash Player, Acrobat and Reader that would allow remote attackers to crash or take over an affected system.
Adobe has fixed and issued a security update to the zero-day vulnerability
in its Flash Player. In addition, the company has updated older versions of
Acrobat and Reader that could cause user systems to crash.
A week after announcing the critical
vulnerability in Adobe Flash Player
, Acrobat and Reader, the company issued
out-of-cycle security updates to close the hole on March 21.
The security update applies to Adobe Flash Player 10.2.152.33 and earlier
versions for Microsoft Windows, Apple Macintosh, Linux and Solaris systems. The
update also includes the latest version of Adobe AIR
2.6 for Windows, Macintosh and Linux. Adobe patched the vulnerability in the
Flash Player for Google Android, which was released on March 18.
There were reports of the vulnerability already being exploited against
Flash, but none against Reader or Acrobat, Adobe had said in the initial
advisory, issued March 14. The Flash exploit embedded a malicious Flash file
(SWF) in a Microsoft Excel file and was e-mailed to victims as an attachment.
Opening the compromised file could cause a system to crash and allow a hacker
to remotely take control of the affected system, according to Adobe's original
Security researchers had questioned why this kind of an obscure capability
was turned on by default in Excel. Microsoft has said that Office 2010 users
are not vulnerable to this exploit because of a security system called data
execution prevention that is included in that version of the office
productivity suite. The exploit would affect users running older versions of
Office on Windows.
Even though the vulnerability exists in the Mac versions of Adobe software,
the current exploit targets only Flash for Windows. However, the exploit could
easily be tweaked to work on the Macintosh platform. With this type of
potential vulnerability, Adobe decided it is best to patch all platforms at
Adobe had also noted that the sandboxing technology in Reader and Acrobat
meant the exploit wouldn't succeed, had one existed.
Adobe also rolled out another set of updates for earlier versions of Adobe
Reader and Acrobat 10.x and 9.x versions for Windows
The fix for Adobe Reader X for Windows is expected to be included in the next
quarterly update, scheduled for June 14, the company said. Including the fix
for Reader X would have delayed the fix for the earlier versions even more,
according to Adobe.
Adobe Reader 9.x for Unix, Adobe Reader for Android, Adobe Reader 8.x and
Acrobat 8.x are not affected by the vulnerability, Adobe said.
Separately, Google fixed the security vulnerability for the embedded Flash
Player in its Chrome
Web browser on March 17, long before Adobe rolled out
its updates. Google was able to get the fix in earlier because it has an
ongoing collaboration with Adobe that gives it early access to Flash before it
is released, according to the Guardian
Users running Chrome will have to make sure Flash for other browsers are
updated, or uninstall them altogether and use Flash only on Chrome, the article