Critical Adobe Flaw without Patch

A vulnerability within the current versions of Adobe Flash Player on all supported platforms has been found, warns the company. Affected are not only the Flash Player installations, but also Adobe Reader and Acrobat via the “authplay.dll” Flash Player integration. Currently there is no mitigation which will help against the exploitation – so only opening expected documents from trusted sources for the time being is a good advice.

Adobe explains that they found an Excel sheet with malicious SWF content exploiting the vulnerability as an email attachment in a very limited, targeted attack. The reason for this is simple – one wouldn’t expect such malicious content in an Excel sheet; not opening unrequested documents thus is a way to mitigate the risk. Adobe plans to ready an update until next week aorund the 21st of March and will ship it immediately then. For Adobe Reader X the patch will take a little longer as the integrated sandbox prevents a successful exploit.

Avira products detect the exploit as EXP/CVE-2011-0609.

Dirk Knop
Technical Editor