Adobe has issued a security warning over a zero-day vulnerability in its Flash Player, Adobe Reader, and Acrobat software packages which can lead to remote code execution
The attack, which exists in Flash Player on Windows, Mac OS X, Linux, Solaris, and Android along with the Windows and Mac OS X versions of Adobe Reader and Acrobat, allows ne’er-do-wells to execute arbitrary code on the target system providing the user can be tricked into opening a specially crafted file.
Adobe admits that the as-yet unpatched flaw is under active attack, with Excel files spreading across the web containing embedded malicious SWF content which triggers the flaw. While a similar bug in the authplay.dll component of Adobe Acrobat and Reader also exists, the company claims that particular vector is not currently being exploited.
“We are in the process of finalizing a fix for the issue,and expect to make available an update during the week of March 21, 2011,” Adobe’s Wendy Poland said.
Users of Adobe Reader X on Windows, however, will have to wait a bit longer. Because the latest Reader build includes a ‘Protected Mode’ which seeks to prevent attacks such as this, Adobe has downgraded the severity of the bug on that platform – and while it will still get patched, it will be rolled out as part of the regularly scheduled security update due on the 14th of June.
This latest in a string of security holes in Adobe’s Flash platform will be yet more fuel for the anti-Flash sentiment emanating from the Apple and pro-HTML5 camps – and if the bug leads to any high-profile attacks, it could spell a PR nightmare for the company.