Proactive IT Security
 

Critical vulnerability in Adobe Flash, Reader and Acrobat (UPDATED)

[Software advisories]

First published: 2011-04-12
Updated: 2011-04-14
Updated: 2011-04-18
Updated: 2011-04-22

A critical vulnerabilitiy has been identified in Adobe Flash. The vulnerability is also in the Authplay.dll component, which is included in Adobe Acrobat and Reader - these applications are therefore also vulnerable.

Critical is Adobe's highest vulnerability rating and could when exploited allow malicious native-code to execute, potentially without a user being aware.

There are reports that the vulnerability is being exploited via a Flash file embedded in a Microsoft Word document (.doc file) delivered as an email attachment.

More information is available in Adobe's security advisory 11-02

Currently there are no available fixes from Adobe.

More information will be published in this Norman Security Advisory when available.

Update 2011-04-14

Adobe's security advisory has been updated with a release schedule for vulnerable software:

  • Flash Player 10.2.x and earlier versions for Windows, Macintosh, Linux, and Solaris: April 15, 2011
  • Adobe Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.1) for Macintosh, and Adobe Reader 9.4.3 and earlier 9.x versions for Windows and Macintosh: No later than the week of April 25, 2011.
  • Adobe Reader X for Windows: The next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.

Update 2011-04-18

Adobe has released an update for Adobe Flash Player. The latest version is available from Adobe Flash Player Download Center.

More information in Adobe's security bulletin 11-07.

Norman recommends users of Adobe Flash Player to update to the newer version as soon as possible.

Update 2011-04-22

Adobe has released updates for Adobe Reader and Acrobat before the announed time. The vulnerability in these products is exploited in the wild.

More information in Adobe's security bulletin 11-08, which also has links to download pages for the products.

Norman recommends users of these Adobe products to update to the newer version as soon as possible.