Adobe said on Monday that it will have a patch available for the newly discovered critical vulnerability in Flash ready by June 10 for most platforms. The patches for Adobe Reader and Acrobat, which also are affected by the flaw, won’t be released until June 29.
The new flaw was discovered late last week and Adobe security officials said that they were aware of attacks against the vulnerability in the wild. Adobe usually distributes its patches on a quarterly basis, but Brad Arkin, the company’s director of product security and privacy, said in a blog post Monday night that the company decided to push the releases up.
The June 29, 2010 security update for Adobe Reader and Acrobat
represents an accelerated release of the next quarterly security update
originally scheduled for July 13, 2010. In addition to addressing
CVE-2010-1297, the accelerated next quarterly Adobe Reader and Acrobat
update will also resolve a number of responsibly disclosed
vulnerabilities. The full details will be in the Security Bulletin and
Release Notes we will publish when the security update is posted.
Among other options, we also considered the alternative of releasing a
one-off 0-day fix followed a couple of weeks later by the July 13
quarterly update. However, two patches within three weeks would have
incurred too much churn and patch management overhead on our users, in
particular for customers with large managed environments.
The patch for Flash released on June 10 will address the vulnerability on Windows, Mac and Linux. The release date for a Flash patch for Solaris has not been determined yet. Also on Monday Adobe released updated mitigation guidance for users looking to thwart attacks before the patch is available.
For Windows users:
Deleting, renaming, or removing access to the authplay.dll file that
ships with Adobe Reader 9.x and
Acrobat 9.x mitigates the threat for those products, but users
will experience a non-exploitable
crash or error message when opening a PDF file that contains
SWF content.
The authplay.dll that ships with Adobe Reader 9.x and Acrobat
9.x for Windows is typically located at C:Program FilesAdobeReader
9.0Readerauthplay.dll for Adobe Reader or C:Program
FilesAdobeAcrobat 9.0Acrobatauthplay.dll for Acrobat.
For Mac users, the guidance is specific to each vulnerable application and can be found in Adobe’s advisory.