Adobe to Fix Critical Flash Player Vulnerability in Two Days

Adobe is rushing to fix an actively exploited Flash Player and Adobe Reader vulnerability, disclosed as a 0-day recently. A Flash Player security update is scheduled to ship on Thursday, while the scheduled update for Adobe Reader and Acrobat has been accelerated and is expected to land on June 29.

Last Friday, Adobe announced that its most widespread products, Flash Player and Reader, were affected by a highly critical vulnerability, which could be leveraged to remotely execute arbitrary code. However, the most important aspect about that disclosure consisted in the fact that the flaw was discovered in the wild where it was actively being exploited.

As an immediate response, Adobe published an advisory where it described mitigation steps users can take. In the case of Flash Player, these involved upgrading to a version that's still in development, while for Reader and Acrobat it meant killing possibly important functionality, like the ability to play SWF content embedded in PDF documents. Additionally, those initial instructions were only available for the Windows operating system.

The company has since updated its advisory to include step-by-step instructions on how to mitigate the Reader vulnerability on Mac and UNIX, and also announced a schedule for shipping the fixes. According to the newly released information, an update for the affected Flash Player 10.x for Windows Mac and Linux will be made available by Thursday. Adobe has still to work out a similar date for a Flash Player update on Solaris.

As far as Adobe Reader and Acrobat are concerned, we previously speculated that the company might be forced to break its quarterly update cycle for the third time since its introduction last year. According to a post on the Adobe Secure Software Engineering Team (ASSET) blog, this option was considered, but the company has instead chosen to move the release date for its next quarterly update, scheduled for July 13, two weeks earlier, and make it available on June 29. It will still ship on Tuesday, which is deemed as the most appropriate day of the week for performing patch management operation in large managed environments.

Brad Arkin, Adobe's director for product security and privacy, also commented on the new updated Reader installers that were due to appear on the company's Download Center at the same time as the July update. "Given the accelerated release of the next quarterly update, we are working to also pull in the schedule for posting the new installers. However, we do not yet have a confirmed date to announce," he wrote.