14 DAY TRIAL // Adobe warns users that an unpatched vulnerability affecting Flash Player, Reader and Acrobat is actively being exploited in the wild. The critical flaw allows attackers to remotely execute arbitrary code.
The vulnerability affects the latest stable releases of Flash Player 10.0.x and 9.0.x, as well as any older versions, for all supported operating systems - Windows, Mac and UNIX. The company notes that the latest release candidate for the upcoming Flash Player 10.1 is not affected and advises users to upgrade to it.
The bug also affects the latest versions of Adobe Reader and Acrobat through the authplay.dll library included in these products. This component is used to play SWFs embedded in PDF documents and has been affected by a similar vulnerability in July last year. Adobe proposes that this file be renamed, deleted or denied access to, until a fix becomes available.
"This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat," is announced in Adobe's Security Advisory on the issue. "Adobe Reader and Acrobat 8.x are confirmed not vulnerable," the company also informs.
Adobe products have been plagued by many zero-day remote code execution vulnerabilities in recent years, which earned the company a bad image with security-conscious users. To make it easier for system administrators in large companies to deploy security updates, in June last year Adobe introduced a quarterly patching cycle aligned with Microsoft's Patch Tuesday. However, because of critical bugs discovered in the wild, the company was forced to release out-of-band updates two times already, and it looks like this latest vulnerability might call for a third one.
You can follow the editor on Twitter @lconstantin