Adobe Fixes Flash Flaw Earlier Than Expected

The new patch addresses a zero-day Adobe Flash bug that has been targeted by attackers

Adobe Systems pushed out a fix for an Adobe Flash Player zero-day faster than expected.

Initially expected to come out the week of 27 September, Monday’s patch fixed a vulnerability the company warned on 13 September had come under attack. Though the attacks have targeted Flash on Windows, the flaw impacts versions 10.1.82.76 and earlier on Windows, Macintosh Linux and Solaris, as well as version 10.1.92.10 on Android. Adobe Reader and Acrobat versions 9.3.4 and earlier on Windows and Macintosh systems are affected as well, as are Reader versions 9.3.4 and earlier on Unix.

“This vulnerability (CVE-2010-2884) could use a crash and potentially allow an attacker to take control of the affected system,” according to the Adobe advisory. “There are reports that this vulnerability is being actively exploited in the wild against Flash Player on Windows. Adobe is not aware of any attack exploiting this vulnerability against Adobe Reader or Acrobat to date.”

Still open is a separate zero-day affecting versions of Adobe Reader and Acrobat. The fix for that vulnerability is scheduled to come the week of 4 October. In the meantime, security vendor RamzAfzar has released an unofficial patch for the vulnerability, while Microsoft and Adobe have advised users to try Microsoft’s Enhanced Mitigation Experience Toolkit 2.0 as a stop-gap while they wait for the patch.