Adobe unveiled last Monday that a zero-day vulnerability had been discovered in Adobe Flash, as well as in the authplay.dll element that is used in Adobe Acrobat and Reader. The flaw was reportedly being exploited in the wild in targeted attacks using a malicious Web page or Flash (SWF) file embedded within a Microsoft Word (DOC) or Excel (XLS) file attachment.
The concerning thing about the latest zero-day revelation, though, is how identical it is to the Flash zero-day that Adobe just announced and raced to patch a month prior. I don’t know for sure if the two are related, but at face value it seems to me that maybe Adobe was too quick to patch a specific vector of the vulnerability, but missed the underlying root flaw, and attackers quickly re-engineered the attack to circumvent the Adobe patch.
Adobe recommends that users of Adobe Flash 10.2.153.1 or earlier for Windows, Mac OS X, Linux, and Solaris upgrade to Adobe Flash Player 10.2.159.1. Users of Adobe AIR 2.6.19120 and earlier versions for Windows, Mac OS X, and Linux should make the switch to AIR 2.6.19140.
Google Chrome has Flash integrated into the browser, and users should upgrade to Chrome version 10.0.648.205 to get the patched version of Flash. Adobe does not intend to release an update for Flash for Android until the week of April25.
Also expected no later than the week of April 25 are updates for affected versions of Adobe Reader and Adobe Acrobat. However, as with the previous zero-day patch, Adobe does not intend to produce an update for Adobe Reader X for Windows until the next scheduled quarterly update in June. The Protected Mode sandbox security in Reader X for Windows will prevent any exploit from executing.