Call it a good news, bad news situation for Adobe Systems. On the one hand, the company patched a number of vulnerabilities Oct. 28 in Shockwave Player; on the other hand, it issued a new advisory on a zero-day bug in Adobe Flash Player.
The Flash Player vulnerability affects version 10.1.85.3 and earlier on Windows, Macintosh, Linux and Solaris operating systems, as well as Flash Player 10.1.95.2 and earlier versions for Android. It also impacts the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and Unix systems, as well as Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh.
“This vulnerability (CVE-2010-3654) could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe warned. “There are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat 9.x. Adobe is not currently aware of attacks targeting Adobe Flash Player.
“We are in the process of finalizing a fix for the issue and expect to provide an update for Flash Player 10.x for Windows, Macintosh, Linux, and Android by November 9, 2010,” the company continued. “We expect to make available an update for Adobe Reader and Acrobat 9.4 and earlier 9.x versions during the week of November 15, 2010.”
At the same time the company issued an advisory, it tucked a fix for a zero-day bug in Shockwave Player into a massive update that plugged 10 other vulnerabilities. On Oct. 21, Adobe warned that a memory corruption vulnerability (CVE-2010-3653) in Shockwave Player version 22.214.171.1242 and earlier on Windows and Mac had been discovered. Six days later, the company warned the issue was under attack.
While users wait for a patch for the Flash Player vulnerability, users can delete, rename or remove access to the authplay.dll file that ships with Adobe Reader and Acrobat, Adobe advised. Doing so, however, will cause a non-exploitable crash or error message when opening a PDF file that contains Flash content. Instructions for doing this can be found in the advisory linked to above.