Adobe warns on zero-day flaw in Flash
Adobe has warned users about attacks against another zero-day flaw in Reader and Acrobat.
The flaw is in versions 9 and 10 of Reader and Acrobat, as well as Flash, Adobe admitted.
“This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said in a security bulletin. “There are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat 9.x. Adobe is not currently aware of attacks targeting Adobe Flash Player.”
However, security firm Trend Micro warned the flaw was focused on Flash, saying it was similar to an Adobe zero-day flaw discovered in June.
“As in the June attack, the vulnerable component lies in Flash,” said Jonathan Leopando said in a Trend Micro blog post. “Acrobat and Reader were just both affected because they include what is, in effect, an embedded Flash Player in the file authplay.dll.”
Adobe said it would issue a patch for Flash on 9 November, while Reader and Acrobat will be fixed on 15 November.
Until then, Adobe advised users to delete or rename the authplay.dll file, but warned that will cause PDFs with Flash content to crash.