March 21, 2011, 8:56 PM — Adobe is releasing updates today to address a critical zero-day flaw in Flash Player--and the authplay.dll element used in Adobe Reader and Adobe Acrobat--that was announced last week. Time to get patching.
The vulnerability in Flash Player can be exploited to allow the attacker to take complete control of the target PC, and be able to install other malicious code or access sensitive information. Even a "failed" exploit could crash the system. Adobe has reported limited attacks in the wild targeting this flaw with a Flash (SWF) file embedded in a Microsoft Excel (XLS) file attachment in an email.
There are no known attacks directed at Adobe Reader or Adobe Acrobat yet. But, the fact that both products can render Flash content with the authplay.dll component makes them vulnerable, and there is some concern that attacks could use malicious PDF files to exploit the vulnerability.
The updates today apply to Flash Player--including the Chrome Web browser with integrated Flash support, Acrobat, and most versions of Reader. Adobe Reader X for Windows will have to wait for its update.
Adobe Reader X for Windows includes a security sandbox that segregates scripts and other such executable code from being able to interact with or impact the underlying program, or the Windows operating system. The sandbox protection is not impervious, but the extra layer of security means that it is very unlikely that an attack attempting to exploit authplay.dll would be successful.
The Adobe security bulletin for Acrobat and Reader explains, "Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011."
The updates are available now for Adobe Reader and Adobe Acrobat. The update for versions of Adobe Flash Player--and the Chrome Web browser with integrated Flash support--will be available sometime this afternoon according to an Adobe spokesperson.