Adobe released a handful of patches this week to address serious security vulnerabilities. The most relevant update for the vast majority of users is the patch for Adobe Flash Player, but IT admins should also be aware of the updates for ColdFusion and Flash Media Server.
Adobe is supposed to be on a scheduled quarterly update cycle, but this handful of updates comes about two months ahead of the next scheduled release–which is supposed to be October 12, 2010.
The APSB10-16 is titled “Security Update available for Adobe Flash Player”, but the flaw identified in the security bulletin actually affects both Adobe Flash Player, and Adobe AIR. The Flash versions impacted include 10.1.53.64 and earlier for Windows, Mac, Linux, and Solaris, and the affected Adobe AIR versions include 184.108.40.20610 and earlier for Windows, Mac, and Linux.
The vulnerabilities in Adobe Flash Player and Adobe AIR could be exploited to cause the application to crash, or potentially allow an attacker to take control of the affected system–enabling the attacker to install or execute additional malicious software on the PC. At this time, though, Adobe is not aware of any exploits in the wild.
Adobe has become a primary target for malware developers. As Microsoft has steadily improved efforts to secure its operating systems and applications against attack, the relatively ubiquitous Adobe products have drawn attention. Adobe’s secure coding efforts are not at the same level of maturity as Microsoft, providing ample opportunity for exploit.
Malware developers are wily and are increasingly adept at luring gullible users to click on malicious links and open malicious files–often PDF files–by ripping headlines from major breaking news. A recent McAfee report illustrates that the malware threat is bigger than ever and continuing to grow.
IT admins need to be aware of identified vulnerabilities–particularly in applications like Adobe Flash and Adobe Reader that exist on virtually every system regardless of operating system platform, and assess and implement critical security patches on a timely basis.