Adobe has moved up the release date for the patch for the critical bug in Adobe Flash Player revealed last week, and now plans to have a fix ready on Thursday. The company still plans to patch Reader two weeks from now.
The vulnerability in Flash also exists in Reader and researchers said last week that attackers had already begun exploiting the bug in Reader by the time that Adobe acknowledged the problem and published an advisory. At the time of the initial advisory, Adobe officials said they planned to release a patch for Flash on Nov. 9 and for Reader on Nov. 15.
On Tuesday, the company updated its guidance, saying that the patch for Flash on Windows, Mac, Linux and Solaris will be pushed out on Thursday, Nov. 4, and that the fix for Flash on Android will still be published Nov. 9. The schedule for the Reader patch remains the same.
A security researcher identified the Flash bug last Thursday and published a short explanation of it, which Adobe confirmed later in the day.
vulnerability has been identified
in Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh,
Linux and Solaris; Adobe Flash Player 10.1.95.2 and earlier versions for
Android; and the authplay.dll component that ships with Adobe Reader
9.4 and earlier 9.x versions for Windows, Macintosh and UNIX, and Adobe
Acrobat 9.4 and earlier 9.x versions for Windows
and Macintosh. This vulnerability (CVE-2010-3654) could cause a crash
and potentially allow an attacker to take control of the affected
system,” Adobe said.
There were reports on Wednesday that another unpatched bug in Adobe’s Shockwave software had been found, as well. Secunia posted an advisory saying that there’s a new use-after-free bug in Shockwave that can be exploited in certain Web-based attack scenarios.
“The vulnerability is caused due to a use-after-free error in an
automatically installed compatibility component as a function in an
unloaded library may be called,” the Secunia advisory said. “Successful exploitation allows execution of arbitrary code, but requires
that a user is tricked into opening the “Shockwave Settings” window
when viewing a web page.”
Adobe patched a previous vulnerability in Shockwave last week.