Patch Schedule Announced for Flash Player and Adobe Reader

Adobe plans to release a security patch for Flash Player tomorrow and one for Adobe Reader and Acrobat two weeks from now in order to address a critical vulnerability actively exploited in the wild.

The security issue was discovered earlier this month in targeted email attacks that distributed Word documents rigged with a SWF exploit.

According to an analysis by independent security researcher Mila Parkour, there were several different rogue emails and judging by their content and name of distributed files they targeted corporate users, probably in a cyber espionage attempt.

Identified as CVE-2011-0611, the flaw affects Flash Player 10.2.153.1 and earlier for Windows, Mac, Linux and Solaris, as well as Flash Player 10.2.156.12 and earlier for Android.

Adobe Reader and Acrobat are also affected because of the authplay.dll component which is responsible for Flash playback support inside PDF documents.

"We are in the process of finalizing a fix for the issue and expect to make available an update for Flash Player 10.2.x for Windows, Macintosh, Linux and Solaris on Friday, April 15, 2011," Adobe's Product Security Incident Response Team (PSIRT) wrote on its blog.

Furthermore, it announced that affected Adobe Reader and Acrobat versions, with the exception of Adobe Reader X (10.0.1) for Windows, will be updated on April 25.

Adobe Reader X for Windows is also vulnerable, but its new sandboxing technology protects it from exploits that might try to exploit the flaw in order to execute arbitrary code.

Therefore Adobe Reader and Acrobat X for Windows will follow the regular quarterly security update cycle and will receive a patch on June 14.

Users who want to protect themselves from the Word-based or PDF-based attacks can uninstall the ActiveX version of Flash Player and delete the authplay.dll component from the Adobe Reader folder.