Flash hole fix coming next week, says Adobe

Adobe said Thursday that it will issue fixes next week for a critical hole in Flash that is being exploited in attacks against Adobe Reader version 9 on Windows.

The vulnerability exists in current versions of Flash Player for Windows, Macintosh, and Linux and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for those same platforms, Adobe said in an advisory.

The vulnerability could cause a system to crash or allow an attacker to take control of the computer, Adobe said.

An update for Flash Player v9 and v10 for Windows, Mac, and Linux will be released by 30 July, while a fix for Solaris is pending. Adobe should have an update for Reader and Acrobat v9.1.2 for Windows, Macintosh, and Unix by 31 July.

An attacker can exploit the vulnerability by luring someone to a website hosting a specially crafted Shockwave Flash file, US-Cert said in an advisory on Thursday.

Cert said: "The Adobe Flash browser plug-in is available for multiple web browsers and operating systems, any of which could be affected.

"An attacker could also create a PDF document that has an embedded SWF file to exploit the vulnerability. This vulnerability is being actively exploited."

The vulnerabilities can be mitigated by disabling the Flash plug-in or by using the NoScript extension for Mozilla Firefox or SeaMonkey to whitelist sites that can access the Flash plug-in, Cert said.

Windows Vista users can mitigate the impact of the exploit by enabling UAC (User Access Control), according to Adobe. Flash Player users should be careful when browsing unfamiliar websites.

Researchers on Wednesday reported that they had uncovered attacks in the wild in which malicious Acrobat PDF files were exploiting a vulnerability in Flash and dropping a Trojan onto computers.

The bug used in the exploit has been around since December 2008.

Original article: Adobe to fix critical Flash hole next week from CNET News.com