- Adobe warns of Flash Player zero-day attack | ZDNet
Malicious hackers are using rigged Microsoft Excel files to exploit a zero-day flaw in Adobe’s ubiquitous Flash Player software.
A security advisory from Adobe says the “critical” vulnerability affects the latest versions of Adobe Flash Player for Windows, Mac OS X, Linux, Solaris and Chrome. It also exists in the authplay.dll component that ships with Adobe Reader and Acrobat X.
“There are reports that this vulnerability is being exploited in the wild...
- Adobe - Security Advisories: APSA11-01 - Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat
Release date: March 14, 2011
- ISC SANS: Adobe Flash 0-day being used in targeted attacks
The US CERT discussion of it is unusually detailed (for CERT) and has some good suggestions:
- US-CERT: Adobe Releases Security Advisory for Flash Player, Reader, and Acrobat
added March 15, 2011 at 10:29 am
Adobe has released a security advisory to alert users of a vulnerability affecting the following products:
- Adobe Flash Player 10.2.152.33 and earlier versions for Windows, Macintosh, Linux, and Solaris
- Adobe Flash Player 10.2.154.18 and earlier versions for Google Chrome users
- Adobe Flash Player 10.1.106.16 and earlier versions for Android
- The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh.
Adobe has indicated that it expects to release a fix for this vulnerability during the week of March 21, 2011. In the interim, users and administrators are encouraged to implement the following workarounds to help reduce the risks.
- Disable Flash in the web browser as described in the Securing Your Web Browser document.
- Disable Flash and 3D & Multimedia support in Adobe Reader 9 and later.
- Prevent Internet Explorer from automatically opening PDF documents.
- Disable the displaying of PDF documents in the web browser.