In-the-wild attacks have been found that use a critical vulnerability in Flash to prey on Adobe Reader and Acrobat, said Adobe yesterday in a new Security Advisory. There are no known attacks to Flash itself, this exploit works on Reader and Acrobat by introducing a PDF with Flash content that leverages the Flash vulnerability to crash Reader/Acrobat and take control of the system. The versions with this vulnerability are:
- Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
- Adobe Flash Player 10.1.95.2 and earlier for Android
- Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX*
- Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh*
*Note: Adobe Reader and Acrobat 8.x are confirmed not vulnerable. Adobe Reader for Android is not affected by this issue.
Lucky for us, the patch cycle for Flash is near and it will be receiving an update for this problem on November 9. Reader and Acrobat should get an update on November 15. Until Adobe has provided mitigation instructions on the advisory that consist of deleting, renaming, or removing access to the authplay.dll file that comes with Reader and Acrobat 9.x. If the mitigation is done it will cause a non-exploitable crash when a PDF with Flash content is opened.