Adobe is planning to patch the recently disclosed Flash Player vulnerability on Friday for users on Windows, Mac OS X and Linux. The vulnerability is being used in targeted attacks right now that use malicious Word documents.
Adobe said on Wednesday night that it plans to push out the Flash Player patch for Google Chrome today, as part of the Chrome release channel. A separate patch for Adobe Acrobat X for Windows and Mac, Reader X for Mac and Reader 9.x for Windows and Mac on April 25.
The company is planning to wait until June to release a patch for the Flash Player bug in Reader X for Windows because the sandbox in that application prevents exploitation of the vulnerability. The patch for Chrome will be available earlier than the others thanks to Adobe’s relationship with Google.
“During our response to any
zero-day vulnerability, Adobe seeks to protect as many users as quickly as
possible. As part of our collaboration with Google, Google receives updated
builds of Flash Player for integration and testing. Once testing is completed
for Google Chrome, the release is pushed via the Chrome auto-update mechanism.
Adobe is testing the fix across all supported configurations of Windows,
Macintosh, Linux, Solaris and Android (more than 60 platforms/configurations
altogether) to ensure the fix works across all supported configurations.
Typically, this process takes slightly longer and, in this case, is expected to
complete on April 15 for Flash Player for Windows, Macintosh, Linux and
Solaris,” the company said in a statement.
When they disclosed the vulnerability earlier this week, Adobe officials warned customers that the vulnerability was already being used in targeted attacks that were leveraging malicious Flash files embedded in Microsoft Word documents. Microsoft security engineers analyzed the attacks and found that the attackers are using a complex exploit routine to build shellcode and then inject the exploit code into the Flash Player.