Zero-day flaw in Adobe Flash Player already being exploited in the wild

Apple Online StoreAdobe has issued the following Security Advisory for Flash Player:

Release date: September 13, 2010
Vulnerability identifier: APSA10-03
CVE number: CVE-2010-2884

Platform: All

SUMMARY

A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.

We are in the process of finalizing a fix for the issue and expect to provide an update for Adobe Flash Player for Windows, Macintosh, Linux, Solaris, and Android operating systems during the week of September 27, 2010. We expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010.

AFFECTED SOFTWARE VERSIONS

Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android
Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX
Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh
SEVERITY RATING

Adobe categorizes this as a critical issue.

DETAILS

A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.

We are in the process of finalizing a fix for the issue and expect to provide an update for Adobe Flash Player for Windows, Macintosh, Linux, Solaris, and Android operating systems during the week of September 27, 2010. We expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010.

Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.

Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL: http://blogs.adobe.com/psirt or by subscribing to the RSS feed
here: http://blogs.adobe.com/psirt/atom.xml

MacDailyNews Take: Besides peddling bloated, insecure, outmoded crapware, you’re doing a heckuva job, Adobe!

29 Comments

  1. wow do you guys (and possibly girls) realize that if this were being exploited in the wild on the mac it would be the second virus for mac os 10 ever (not counting proof of concept programs). the first one was back in 2006 (it could only spread over lans).

    And I am sooo glad there is no flash on ios

  2. >Why do they expect it to take so long to have a fix in place? Seriously. With all of the resources they have at their disposal.

    Very busy peddling flash on the Android platform. Priorities man…priorities!!! ” width=”19″ height=”19″ alt=”wink” style=”border:0;” />

  3. about a month ago I just took the flash plugin and trashed it.(I have ClickToFlash now but I don’t think the flash works, I just got tired of safari telling me I needed to update flash every time I visited macrumers.com)

  4. The fix is two weeks away? But since it’s a “zero day” vulnerability, that has been in “earlier versions for Windows and Macintosh,” that probably means hackers have been stealthily exploiting it for months, maybe years. So what’s another two weeks…? ” width=”19″ height=”19″ alt=”wink” style=”border:0;” />

  5. “Adobe recommends that users follow security best practices” by recommending people stop using Adobe Flash Player and Acrobat Reader products.
    ” width=”19″ height=”19″ alt=”raspberry” style=”border:0;” />

  6. Ah I see. Now I know why you didn’t run a story on Apple allowing Adobe Flash developers to make apps. You’re Adobe haters. Look I love Apple too MDN but they are not Gods. Give me the name of another desktop/web publishing suit like Adobes (not better or worse, just another one) and I’ll go check it out.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.