Adobe Systems pushed out a fix for an Adobe Flash Player zero-day faster than expected.
Initially expected to come out the week of Sept. 27, today’s patch fixes a vulnerability the company warned Sept. 13 had come under attack. Though the attacks have targeted Flash on Windows, the flaw impacts versions 10.1.82.76 and earlier on Windows, Macintosh, Linux and Solaris, as well as version 10.1.92.10 on Android. Adobe Reader and Acrobat versions 9.3.4 and earlier on Windows and Macintosh systems are affected as well, as are Reader versions 9.3.4 and earlier on Unix.
“This vulnerability (CVE-2010-2884) could use a crash and potentially allow an attacker to take control of the affected system,” according to the Adobe advisory. “There are reports that this vulnerability is being actively exploited in the wild against Flash Player on Windows. Adobe is not aware of any attack exploiting this vulnerability against Adobe Reader or Acrobat to date.”
Still open is a separate zero-day affecting versions of Adobe Reader and Acrobat. The fix for that vulnerability is slated to come the week of Oct. 4. In the meantime, security vendor RamzAfzar has released an unofficial patch for the vulnerability, while Microsoft and Adobe have advised users to try Microsoft’s Enhanced Mitigation Experience Toolkit 2.0 as a stopgap while they wait for the patch.