14 DAY TRIAL // Adobe has released security updates for Adobe Reader and Acrobat to address a zero-day vulnerability in the bundled Flash Player component.
The vulnerability is identified as CVE-2011-0609 and was confirmed last Monday after attacks were detected exploiting it in the wild.
The flaw affects Adobe Flash Player and can be targeted via malformed SWF files, which means the authplay.dll component included in Adobe Reader and Acrobat is also vulnerable.
Authplay.dll handles support for Flash animations in PDF documents and was introduced in Adobe Reader and Acrobat 9.x. The 8.x branch of the products is not affected by the vulnerability.
However, users are still encouraged to upgrade to Adobe Reader and Acrobat X (10.x), which is more secure by design.
The vulnerability also exists in products from this latest branch, but because they parse PDF documents inside a sandbox, they are protected from arbitrary code execution exploits.
In computing, a sandbox refers to a restricted environment where access to outside resources is strictly monitored and controlled.
Adobe Reader 9.x for UNIX and Adobe Reader for Android, are not affected either, because they don't contain the authplay component either.
Users of Adobe Reader 9.x for Windows and Macintosh are urged to upgrade to Adobe Reader 9.4.3, while users of Adobe Acrobat 10.x to Adobe Acrobat 10.0.2.
Only Adobe Reader 10.0.2 for Macintosh is currently available. Users of Adobe Reader 10.x for Windows will have to wait until June for a patch.
"Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011," Adobe notes.
The latest versions of Adobe Reader for Windows can be downloaded from here.
The latest versions of Adobe Reader for Mac can be downloaded fom here.