With attackers actively exploiting the bug to remotely execute code, Adobe recommends that all Flash, Reader, and Acrobat users upgrade immediately.

Mathew J. Schwartz, Contributor

March 22, 2011

2 Min Read

Top 10 Security Stories Of 2010

Top 10 Security Stories Of 2010

(click image for larger view)
Slideshow: Top 10 Security Stories Of 2010

On Monday, Adobe patched a critical vulnerability in its Flash, Reader, and Acrobat products. It recommends that all users upgrade immediately to the latest version.

The out-of-cycle patch -- Adobe normally releases patches quarterly -- reflects the severity of the vulnerability as well as the fact that attackers are actively exploiting the bug to remotely execute code. In particular, attackers have been targeting Flash Player, by distributing via email a malicious Flash file (.swf) embedded in a Microsoft Excel file (.xls).

As of Monday, Adobe said that it hasn't seen any attacks targeting the Flash-related authplay.dll component in Adobe Reader or Acrobat, which is also vulnerable. "Note also that Adobe Reader X Protected Mode -- 'sandboxing' -- would prevent an exploit of this kind from executing," said Adobe.

The updated -- aka patched -- Flash software versions are Flash Player (for Windows, Macintosh, Linux, and Solaris), AIR 2.6 (Windows, Macintosh, and Linux), and Flash Player (for Android), which was released on March 18. Meanwhile the latest version of Google Chrome, 10.0.648.134, integrates Flash Player version, which also has the patch. It was released on March 15.

As that suggests, Adobe shares Flash patches with Google in advance of their general release, which gives Google a head start on patching its browser. Google, notably, also updates Flash Player for Chrome automatically. Other browser users will need to download and install the latest version manually.

For Adobe Reader and Acrobat, the updated version of Adobe Reader X 10.0.2 is only being released for Macintosh, since the Windows version (10.0.1) would prevent the attack from exploiting. Accordingly, Windows users won't see a patch until the next quarterly patch release date, scheduled for June 14, 2011.

Other updated versions -- all for both Windows and Macintosh -- are Reader 9.4.3, Adobe Acrobat X 10.0.2, and Adobe Acrobat 9.4.3. Reader and Acrobat users can check for and download updates through the application's "help" menu.

Read more about:


About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights