Adobe Fixes Zero-Day Flaw

Adobe has released a fix for a week-old critical vulnerability in Flash Player, Acrobat and Reader

Adobe has fixed and issued a security update to the zero-day vulnerability in its Flash Player. In addition, the company has updated older versions of Acrobat and Reader that could cause user systems to crash.

A week after announcing the critical vulnerability in Adobe Flash Player, Acrobat and Reader, the company issued out-of-cycle security updates to close the hole on 21 March.

Exploitation reports

The security update applies to Adobe Flash Player 10.2.152.33 and earlier versions for Microsoft Windows, Apple Macintosh, Linux and Solaris systems. The update also includes the latest version of Adobe AIR 2.6 for Windows, Macintosh and Linux. Adobe patched the vulnerability in the Flash Player for Google Android which was released on 18 March.

There were reports of the vulnerability already being exploited against Flash, but none against Reader or Acrobat, Adobe had said in the initial advisory, issued on 14 March. The Flash exploit embedded a malicious Flash file (SWF) in a Microsoft Excel file and was emailed to victims as an attachment. Opening the compromised file could cause a system to crash and allow a hacker to remotely take control of the affected system, according to Adobe’s original security warning.

Security researchers had questioned why this kind of an obscure capability was turned on by default in Excel. Microsoft has said that Office 2010 users are not vulnerable to this exploit because of a security system called data execution prevention that is included in that version of the office productivity suite. The exploit would affect users running older versions of Office on Windows.

Even though the vulnerability exist in the Mac versions of Adobe software, the current exploit targets only Flash for Windows. However, the exploit could easily be tweaked to work on the Macintosh platform. With this type of potential vulnerability, Adobe decided it is best to patch all platforms at once.

Sandboxing

Adobe had also noted that the sandboxing technology in Reader and Acrobat meant the exploit wouldn’t succeed, had one existed.

Adobe also rolled out another set of updates for earlier versions of Adobe Reader and Acrobat 10.x and 9.x versions for Windows and Macintosh. The fix for Adobe Reader X for Windows is expected to be included in the next quarterly update, scheduled for June 14, the company said. Including the fix for Reader X would have delayed the fix for the earlier versions even more, according to Adobe.

Adobe Reader 9.x for Unix, Adobe Reader for Android, Adobe Reader 8.x and Acrobat 8.x are not affected by the vulnerability, Adobe said.

Separately, Google fixed the security vulnerability for the embedded Flash Player in its Chrome web browser on 17 March, long before Adobe rolled out its updates. Google was able to get the fix in earlier because it has an ongoing collaboration with Adobe that gives it early access to Flash before it is released, according to the Guardian.

Users running Chrome will have to make sure Flash for other browsers are updated, or uninstall them altogether and use Flash only on Chrome, the article warned.