14 DAY TRIAL // Adobe has shipped the much-awaited updates for its Flash Player and AIR products that fix a considerable number of critical vulnerabilities, some of which are actively being exploited in the wild. Patches for Adobe Reader and Acrobat are also scheduled for release today.
This past month has not been an easy one for Adobe's security team. On July 22nd, security researchers reported that a zero-day Flash Player vulnerability was being exploited in the wild to infect computers with malware. It was soon determined that Adobe Reader and Acrobat were also vulnerable, because of their ability to play flash streams embedded into PDF files.
Almost a week later, Adobe announced that the recent vulnerability discovered in the Microsoft Active Template Library (ATL) also impacted the Flash Player and Shockwave Player plug-ins for Internet Explorer, allowing attackers to possibly take control of affected systems. The Shockwave Player issue has been addressed in version 11.5.1.601 of the product, released on July 28th.
The Flash Player and AIR updates released today resolve the two aforementioned vulnerabilities, as well as six other flaws that could result in unauthorized code execution, one clickjacking bug and a sandbox weakness that can lead to information disclosure.
In order to protect themselves, users can upgrade to Flash Player 9.0.246.0 and 10.0.32.18, depending on the version they are using, and to Adobe AIR 1.5.2, respectively. "We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX by July 31, 2009," the company writes in the accompanying security bulletin.
"We seem to be seeing more and more attempts by hackers to exploit vulnerabilities in Adobe's software – so it would be a very good idea for everyone to update their systems as soon as possible," Graham Cluley, senior technology consultant at antivirus vendor Sophos, also advises.