Adobe Confirms New Flash 0-Day and Reveals Patch Schedule

Adobe has confirmed that a new critical vulnerability affects Flash Player, Adobe Reader and Acrobat, and plans to release patches in the second and third week of November, respectively.

Rumors of the zero-day vulnerability emerged earlier today, with researcher Mila Parkour revealing some details about an attack that exploited it.

The researcher said at the time that Adobe was notified and is investigating the issue. The company has now finished its analysis and has published an advisory.

"A critical vulnerability exists in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX operating systems, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh operating systems," the company confirms.

Adobe Reader and Acrobat 8.x and Adobe Reader for Android are not vulnerable to attacks, that target this vulnerability.

When we previously reported about the possible zero-day flaw, we expressed concern that the next scheduled Adobe Reader and Acrobate update is too far away.

However, it looks like the company has opted to break the quarterly patch cycle in order to address this vulnerability.

Fixed versions of Adobe Reader and Acrobat are expected to land during the week of November 15; most likely on Tuesday, if past experience is any indication.

Meanwhile, Flash Player will get a patch in about two weeks (around November 9), which means that Google Chrome will see an update at about the same time.

Nevertheless, three weeks is still a long time to be exposed to a vulnerability that is actively being exploited in the wild.

As mitigation for Reader and Acrobat, Adobe recommends deleting, renaming, or otherwise preventing access to the authplay.dll file.

Since this file is the Flash interpreter, users should take into consideration that doing this will leave the program unable to play SWF content embedded inside PDF files.

Unfortunatelly, there are few mitigations available for Flash Player, short of disabling it. Firefox users can install the NoScript extension, which allows them to manually select what SWF content is allowed to play.