Adobe patches critical zero-day Flash flaw
Adobe has issued an out-of-cycle patch for its Flash, Reader, and Acrobat applications which it recommends all users upgrade to immediately. The fix will close a security hole in the Authplay component, which allows for the use of Flash within PDF files.
Code to exploit the vulnerability was out in the wild, Adobe has disclosed. It had initially believed that the vulnerability was only being exploited through malformed Flash .swf files within Excel spreadsheets, but it was discovered that attackers could also possibly exploit the vulnerability through holes in the PDF file format.
Fixes for Reader and Acrobat were issued as a precautionary measure, a spokeperson for the company said. There was no evidence of attack vectors using either application, however.
Chrome users do not need to update to the new Flash if they have the most recent available version of their browser. The update issued last week includes the same fix included in Monday's updates. If the user regularly uses another browser such as Internet Explorer, the patch would still need to be downloaded, Adobe says.
The exploit would cause a crash and a possible takeover of the affected system, allowing for the execution of arbitrary code. Apparently the severity of the issue was enough for Adobe to issue an out of cycle patch, ahead of its next scheduled quarterly release due on June 14.
If you are using Adobe X, the latest version of the Reader product, you are safe from this vulnerability. That is because the program uses technology called "sandboxing." A popular method these days among developers to isolate computers against attacks, the sandbox isolates system processes.
Exploits would first need to crack the sandbox before it would be able to exploit code based on any flaw. That would likely be seen as too time consuming for many hackers, who'd likely opt for easier hacks.