Adobe said it is releasing security updates on Monday to address a critical vulnerability in Adobe Flash Player that is being exploited in the wild and could allow a remote attacker to take control of the affected system.
The patch is a follow-up to a March 14 Security Advisory from the company regarding a hole in its Flash technology that also affects Adobe Reader and Acrobat. In its Advisory, Adobe said that it has received reports that the vulnerability was being exploited in the wild.
The critical patch is for the vulnerability affecting version 10.2.152.33 and earlier for Windows, Mac, and the Solaris operating systems. For Chrome users, the affected versions are 10.2.154.18 and earlier. Android users on version 10.1.106.16 an earlier are affected as well. The flaw is also affecting the authplay.dll component shipping with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh.
The company has acknowledged attacks that target the hole in which Flash files embedded in Microsoft Excel files were sent to victims as e-mail message attachments. Adobe said it is not yet aware of anyone exploiting these
vulnerabilities in attacks against Reader or Acrobat. In addition, running Adobe X in
protected mode will prevent an exploit of this kind from executing, the company said.
Once the patch is available, Adobe recommends that all affected users update immediately, which can be done at Adobe’s Product Security Incident Response Team Blog.
Adobe’s software has proved to be fertile ground for malicious hackers and is a frequent target of attacks online. The ubiquity of software like Adobe Acrobat Reader and Flash makes them reliable doorways onto endpoints. The company has taken steps to improve the security of its product, including the introduction of application sandbox features in its Acrobat Reader client to help prevent malicious code from compromising the host operating system.