Critical Flash Player Patch Expected Tomorrow

Adobe has accelerated the previously announced Flash Player patch schedule and the fix for an actively exploited critical vulnerability is expected to land tomorrow.

Last Thursday, independent security researchers reported that a new Flash Player zero-day flaw might be actively exploited in attacks, which infect users with malware.

Adobe later confirmed the existence of the vulnerability (CVE-2010-3654) and posted a security advisory.

At the time, the company also announced plans to make a patch available during the week of November 9.

However, the advisory has since been updated. "We are in the process of finalizing a fix for the issue and expect to provide an update for Flash Player 10.x for Windows, Macintosh, Linux and Solaris by November 4, 2010," it now reads.

The Flash Player for Android patch schedule remains unchanged, with a fixed version expected to ship sometime next week.

Adobe can't compare with Mozilla, which recently managed to push a fix for an actively exploited Firefox vulnerability in less than 48 hours, but one week is still a significant improvement.

Unfortunately, tomorrow's release doesn't resolve the problem, because the Flash interpreter in Adobe Reader and Acrobat is also vulnerable to the same flaw.

In fact, in-the-wild attacks observed so far, exploit this Flash vulnerability via malicious SWF content embedded in PDF documents.

Patching Flash Player might protect users against future attacks targeting the application directly, but it doesn't stop current exploits from working.

The authplay.dll Flash interpreter can only be patched via an Adobe Reader and Acrobat update, the next of which is scheduled for the week of November 15.

In the meantime, in order to stay protected, users can remove, rename or prevent access to the authplay.dll file, but it's worth noting that this will disable PDF Flash support.

Users are also advised to keep their antivirus programs up to date, because Adobe is actively working with security vendors to add detection for exploits targeting this vulnerability.