Adobe: Flash, Reader hole used in PDF attacks
Vulnerability is being exploited in attacks on Adobe Reader and Acrobat to drop a Trojan on computers. So far, company isn't aware of attacks targeting Flash Player.
A new critical vulnerability in Flash and Adobe Reader and Acrobat 9.x is being exploited to attack computers running the popular PDF viewer software, Adobe warned today.
Adobe is not currently aware of attacks targeting Flash Player, the company said in a blog post.
The bug is in Flash Player 10.1.85.3 and earlier versions for Windows, Mac, Linux, and Solaris, and Flash Player 10.1.95.2 and earlier for Android. It also is in the authplay.dll component in Reader 9.4 and earlier 9.x versions for Windows, Mac, and Unix, and Acrobat 9.4 and earlier 9.x versions for Windows and Mac. The component renders Flash content in the PDF viewer.
Adobe Reader and Acrobat 8.x and Reader for Android are not impacted by the flaw, the company said.
The hole could be used by an attacker to take control of the system. In the existing attacks, a Trojan is being dropped onto victims' computers that steals sensitive data and loads other malware, according to ThreatExpert.
Adobe is working on a fix and expects to provide it in an update for Flash Player by November 9 and an update for Reader and Acrobat 9.x during the week of November 15.
Workarounds are included in this security advisory.
This afternoon, Adobe issued a fix for a hole in Shockwave Player that was disclosed last week. Earlier this month, the company plugged 23 holes in Reader and Acrobat, including two being used in attacks.
The company is adding sandbox technology designed to add more layers of protection to the next version of Adobe Reader, Reader X, which is due out by mid-November.
Updated 12:50 p.m. PDT with Adobe releasing fix for Shockwave Player hole.