Another critical hole in Adobe Flash, Reader and Acrobat
Only a few weeks after its comprehensive patch day, Adobe has had to admit to another critical hole in its products. The problem is once again caused by the Flash Player, which contains a critical security vulnerability. The vulnerable library – authplay – also allows attackers to exploit the hole via PDF files displayed in Adobe Reader. There are already reports of criminals exploiting this flaw to infect computers with malware via specially crafted emails.
Adobe say that all versions of Flash Player for Windows, Macintosh, Linux and Solaris are affected up to version 10.1.85.3; also affected is Flash Player version 10.1.95.2 for Android. The vulnerable authplay library is shipped with versions 9.x of Reader and Acrobat; versions 8.x are apparently immune.
As a work around, Adobe currently recommends that users delete or rename the vulnerable file, which is
authplay.dll in Windows
AuthPlayLib.bundle on Macs and
libauthplay.so.0.0.0 on Unix-based systems. The workaround will cause Reader to crash when a PDF file attempts to render Flash content, but it will also prevent arbitrary code from being injected.
An upgrade to Flash Player 10.x is to become available on the 9th of November and will apparently fix the problem. Adobe has promised to release a patch for Reader and Acrobat in the week staring on the 15th of November. Until then, users are advised to be very cautious when handling PDF files from unknown sources.