Adobe is once again releasing software updates to address a zero-day vulnerability in Adobe Flash. Adobe already unleashed an updated version of Adobe Flash itself, but today it is also releasing updated versions of Acrobat and Reader which both rely on a vulnerable component of Flash.
The updates arrived sooner than expected, perhaps in response to new exploits in the wild. The Adobe security advisory explains, "There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat, as well as via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment targeting the Windows platform."
Qualys CTO Wolfgang Kandek describes the current threat in a recent blog post. Kandek says that the malicious Word document file attachment typically has a legitimate sounding name to lure users into opening it. But, as soon as the victim opens the attachment, the Flash zero-day vulnerability is exploited to install a remote control agent, and then a second Word document is opened which contains the real content. The insidious part is that it all happens in the blink of an eye--much faster than most users would even notice.
I have pointed out that the similarities of the back to back zero-day flaws in Flash seems to indicate they are related, and suggest that perhaps Adobe rushed the patch so much the first time around that it missed some key element of the vulnerability. But, an Adobe spokesperson stressed that the two Flash vulnerabilities are completely unrelates, explaining, "The two vulnerabilities existed in entirely different parts of the code and different ActionScript Virtual Machines (AVMs)."
The affected software includes Adobe Reader X (10.0.1) and earlier versions for Windows, Adobe Reader X (10.0.2) and earlier versions for Macintosh, and Adobe Acrobat X (10.0.2) and earlier versions for Windows and Macintosh. Users of these products are strongly encouraged to download and install the updated software as soon as possible.
Adobe is still holding out for the regular quarterly update cycle in June to patch the Windows version of Adobe Reader X. Adobe states that the Protected Mode sandbox security in Reader X for Windows will prevent any exploit from executing, so it does not consider it a priority for developing an out-of-band update.