Adobe has issued a security bulletin about a critical security flaw found in Adobe Flash Player affecting the Windows, Macintosh, Linux, Solaris, and Android operating systems. The vulnerability, labeled CVE-2011-0609, “could cause a crash and potentially allow an attacker to take control of the affected system.” The company reports that exploits are already in the wild — most prevalently attached to Flash (.swf) and Excel (.xls) files. Adobe notes that it is “aware” of exploits for Adobe Reader and Acrobat, but explains that “Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.” The company has stated that it will issue a patch for its Flash Player sometime during the week of March 21st. Curiously, the company writes, “Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.” June? Wow. Now might be a good time to enable Protected Mode on Adobe’s PDF reader. More →
Adobe released a security bulletin today warning of a critical, zero-day vulnerability in their Reader and Flash Player software. The bulletin notes that an unpactched system could “crash [your system] and potentially allow an attacker to take control of the affected system.” The vulnerability is affecting:
- Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
- Adobe Flash Player 10.1.95.2 and earlier for Android
- Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX
- Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh
- Adobe Reader and Acrobat 8.x are confirmed not vulnerable. Adobe Reader for Android is not affected by this issue.
Adobe is promising an update to fix the issue by November 9. Hit the read link to read more and for mitigation instructions for your specific platform. More →
Just a heads up for all of you who have been anxiously waiting in your fallout shelters for Adobe to patch that nasty zero-day exploit. Adobe has announced that tomorrow it will be dishing out an update that should resolve the matter where Flash is concerned. As for Acrobat and Reader, the two other Adobe products that are vulnerable, both will have their quarterly security date bumped up by two weeks meaning that this whole mess should be resolved by the 29th of June.
Yesterday, Adobe announced that a zero-day exploit exists in Flash 10.0.45.2 and earlier, as well as Adobe Reader and Acrobat 9.x. The company website explains:
…(CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat.
The zero-day exploit, without question, is the mother of all vulnerabilities. A recent report put the black market price tag of a good zero-day exploit — on that can be widely distributed — at just north of $50,000. Governments and private security firms have been rumored to pay more than quadruple that figure on the “white market” if the vulnerability is severe enough. We’ve got the complete security bulletin, with mitigation instructions, queued up for you after the bounce. More →