New Adobe Flash Bug Being Exploited

On the same day that it plans to release a patch for a critical flaw in Shockwave, Adobe confirmed on Thursday morning that there is a newly discovered bug in Flash that is being actively exploited already in attacks against Reader. The vulnerability affects Flash on all of the relevant platforms, including Android, as well as Reader on Windows and Mac, and won’t be patched for nearly two weeks.

On the same day that it plans to release a patch for a critical flaw in Shockwave, Adobe confirmed on Thursday morning that there is a newly discovered bug in Flash that is being actively exploited already in attacks against Reader. The vulnerability affects Flash on all of the relevant platforms, including Android, as well as Reader on Windows and Mac, and won’t be patched for nearly two weeks.

The new Flash bug came to light early Thursday when a researcher posted information about the problem, as well as a Trojan that is exploiting it and dropping a pair of malicious files on vulnerable PCs. Researcher Mila Parkour tested the bug and posted a screenshot of the malicious files that a Trojan exploiting the vulnerability drops during its infection routine. Adobe has since confirmed the vulnerability and said that it is aware of the attacks against Reader.

“A
critical
vulnerability has been identified

in Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh,
Linux and Solaris; Adobe Flash Player 10.1.95.2 and earlier versions for
Android; and the authplay.dll component that ships with Adobe Reader
9.4 and earlier 9.x versions for Windows, Macintosh and UNIX, and Adobe
Acrobat 9.4 and earlier 9.x versions for Windows
and Macintosh. This vulnerability (CVE-2010-3654) could cause a crash
and potentially allow an attacker to take control of the affected
system,” Adobe said.

This flaw is the latest is a string of bugs that have cropped up in Adobe products in the last few months. There have been a number of critical flaws exposed in Flash, Reader and other Adobe software, including one in the company’s Shockwave application, which it is patching on Thursday. The Shockwave flaw is remotely exploitable and the details of it have been known publicly for some time.

Adobe security officials said they plan to patch the Flash bug on Nov. 9 and will release a fix for Reader and Acrobat during the week of Nov. 15. 

Suggested articles

Discussion

  • Arcturus on

    Would like to see a link at the bottom of these stories with information on 

    ways to protect yourself when waiting on these patches. Not just on this alert but all

    alerts you might post here in the future. 

  • Anonymous on

    Would like to see a link at the bottom of these stories with information on ways to protect yourself when waiting on these patches. Install Firefox, run private browsing mode, and install the NoScript add-on. It will turn off scripts by default unless you allow them on a per site basis. While your at it, install BetterPrivacy to delete Flash cookies, Ghostery to disable web bugs, FlagFox to tell you the country where the web site your visiting server is located (some help), WOT, and Ad Block Plus as this is used as a avenue as well. If on Safari, install the Click to Flash plug-in and enable Private Browsing mode. On IE, you dead meat.
  • Anonymous on

    Here's an idea... uninstall flash.  Or better yet, stay off the internet :D

  • Anonymous on

    NoScript rules!
  • Meikel71 on

    As I told year ago, Flash is devil.

     

  • Axilmar on

    Can someone point to some tecnhical information about the bug? was it a buffer overflow? a wild pointer?

  • Anonymous on

    Getting freaking tired of patching Adobe products.  Adobe attacks account for almost %50 of the incidents out there. Maybe the Chinese or Russian owns Adobe...  Adobe, get your f**king products acts together...

  • Anonymous on

    Meikel71 is right...
  • Anonymous on

    Is there any information on whether this infects Windows systems where the running account has no admin rights?
  • Anonymous on

    It's perfectly common for applications to have bugs. What's getting people agitated when they say they will release a fix to a gaping and actively exploited hole in their product in TWO WEEKS. My recommendation: Uninstall adobe reader and use foxit or similar, and run your browser in a sandbox (like sandboxie)
  • Anonymous on

    How much faster do you think computers would be if absolutely no security measures were needed? In programming , I have noticed that I can trade security for efficiency at an alarming rate, seems like computers would work much, much faster if there wasn't people making viruses and such...

    But at least these issues are addressed when they appear, though the programmers should really know their programs enough to fix them before they are released to the public like this...

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.