Adobe warns serious Flash flaw is being exploited
Adobe has admitted that a flaw in its Flash player, which allows attackers to take control of affected machines, is being exploited in the wild.
The critical vulnerability is found in all versions of the Flash Player across all operating systems, except for the release candidate of Flash Player 10.1. It’s also lurking in the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and Unix operating systems.
“This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe’s security advisory warns. “There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat.”
Other than “upgrading” to the Flash Player 10.1 RC – which is a big gamble for companies, especially – there appears to be no way of mitigating the threat, other than uninstalling Flash.
Adobe has provided a complex workaround for Acrobat 9 users, which involves deleting a .dll file and putting up with a “non-exploitable crash or error message when opening a PDF file that contains SWF content”.
Adobe says it will update its security advisory when it has details of a fix.
The serious flaw will do little to aid Adobe’s PR war with Apple, with security being one of the chief reasons why Apple boss Steve Jobs refuses to allow Flash onto the iPhone/iPad.