14 DAY TRIAL // Adobe has released a security update for its Flash Player and AIR products. The patch addresses a critical unauthorized cross-domain interaction vulnerability, as well as a Denial of Service issue. Users are advised to upgrade to Flash Player 10.0.45.2 and AIR 1.5.3.1930.
"A critical vulnerability has been identified in Adobe Flash Player version 10.0.42.34 and earlier. This vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests. This update also resolves a potential Denial of Service issue (CVE-2010-0187)," Adobe announces in the new security bulletin.
Fortunately, it appears that neither of the bugs was disclosed as zero-days or is currently exploited in the wild. Adobe credits a third-party developer named Michael Yong Park with reporting the critical cross-domain issue and thanks him for his cooperation. This means the vulnerability was handled according to responsible disclosure practices and was kept secret until a patch became available.
The company's Product Security Incident Response Team (PSIRT) has announced on its blog that a related Adobe Reader and Acrobat update is scheduled for February 16, 2010. "Adobe is planning to release an update for Adobe Reader 9.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh to resolve critical security issues, including the Flash Player issue described in Security Bulletin APSB10-06," the security bulletin informs.
Since June 2009, the Adobe Reader and Acrobat products have been following a uniform quarterly security update cycle aligned with Microsoft's Patch Tuesday. The last quarterly update took place on January 12, 2010 and the next is scheduled for April.
This means that next week's update will be an out-of-band one, triggered by the severity of the vulnerability. Nevertheless, the patch will land on Tuesday in order to make it easier for system admins to deploy it. Tuesday is seen as the best day for patching, as it allows for enough time until the end of the week to undo the process if something goes wrong.
The latest stable version of Adobe Flash Player can be downloaded from here. The latest stable version of Adobe AIR can be downloaded from here.