Adobe to patch Flash Player hole Friday
Adobe has confirmed that it plans to patch a previously reported critical vulnerability in Flash Player 10.2.153.1 for Windows, Macintosh, Linux and Solaris on Friday, 15 April. There are already reports that the zero-day bug in Flash Player is being exploited using crafted .swf files embedded in Microsoft Word .doc files which are sent as an email attachment. The vulnerability can, when exploited appropriately, allow an attacker to take control of a system.
The issue can also be found in the Authplay.dll component used in Adobe Reader and Acrobat X 10.0.2 and all earlier versions for Windows and Mac OS X, including the 9.x branch. Adobe says that it will make an update available for these versions "no later than the week of April 25, 2011".
The company notes that, as Adobe Reader X includes Protected Mode, which prevents this type of exploit from executing, they are planning to address this in the next quarterly security update scheduled for 14 June 2011. A release date to patch Flash Player 10.2.156.12 for Android and earlier, however, has not been announced.
Further details about the updates can be found in a post on the Adobe Product Security Incident Response Team (PSIRT) Blog by David Lenoe.
- Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat, security advisory from Adobe.