Adobe Updates Flash, Reader, Acrobat to Fix Zero-Day Bug

Adobe fixes a critical vulnerability in Flash Player, Acrobat and Reader that would allow remote attackers to crash or take over an affected system.

Adobe has fixed and issued a security update to the zero-day vulnerability in its Flash Player. In addition, the company has updated older versions of Acrobat and Reader that could cause user systems to crash.

A week after announcing the critical vulnerability in Adobe Flash Player, Acrobat and Reader, the company issued out-of-cycle security updates to close the hole on March 21.

The security update applies to Adobe Flash Player and earlier versions for Microsoft Windows, Apple Macintosh, Linux and Solaris systems. The update also includes the latest version of Adobe AIR 2.6 for Windows, Macintosh and Linux. Adobe patched the vulnerability in the Flash Player for Google Android, which was released on March 18.

There were reports of the vulnerability already being exploited against Flash, but none against Reader or Acrobat, Adobe had said in the initial advisory, issued March 14. The Flash exploit embedded a malicious Flash file (SWF) in a Microsoft Excel file and was e-mailed to victims as an attachment. Opening the compromised file could cause a system to crash and allow a hacker to remotely take control of the affected system, according to Adobe's original security warning.

Security researchers had questioned why this kind of an obscure capability was turned on by default in Excel. Microsoft has said that Office 2010 users are not vulnerable to this exploit because of a security system called data execution prevention that is included in that version of the office productivity suite. The exploit would affect users running older versions of Office on Windows.

Even though the vulnerability exists in the Mac versions of Adobe software, the current exploit targets only Flash for Windows. However, the exploit could easily be tweaked to work on the Macintosh platform. With this type of potential vulnerability, Adobe decided it is best to patch all platforms at once.

Adobe had also noted that the sandboxing technology in Reader and Acrobat meant the exploit wouldn't succeed, had one existed.

Adobe also rolled out another set of updates for earlier versions of Adobe Reader and Acrobat 10.x and 9.x versions for Windows and Macintosh. The fix for Adobe Reader X for Windows is expected to be included in the next quarterly update, scheduled for June 14, the company said. Including the fix for Reader X would have delayed the fix for the earlier versions even more, according to Adobe.

Adobe Reader 9.x for Unix, Adobe Reader for Android, Adobe Reader 8.x and Acrobat 8.x are not affected by the vulnerability, Adobe said.

Separately, Google fixed the security vulnerability for the embedded Flash Player in its Chrome Web browser on March 17, long before Adobe rolled out its updates. Google was able to get the fix in earlier because it has an ongoing collaboration with Adobe that gives it early access to Flash before it is released, according to the Guardian.

Users running Chrome will have to make sure Flash for other browsers are updated, or uninstall them altogether and use Flash only on Chrome, the article warned.