Adobe has issued a security advisory about a "critical" vulnerability in its Flash Player and Adobe Reader and Acrobat products that it says could let attackers take control of people's computers.
The company said late Friday that there had been reports of the hole actually being exploited and that an official patch was not yet available.
Affected software includes:
- Adobe Flash Player 10.0.45.2, 9.0.262, and earlier 10.0.x and 9.0.x versions for Windows, Macintosh, Linux, and Solaris
- Adobe Reader and Acrobat 9.3.2 and earlier 9.x versions for Windows, Macintosh, and Unix
The company said that the Flash Player 10.1 Release Candidate does not seem to be vulnerable and that Adobe Reader and Acrobat 8.x are confirmed not vulnerable.
Adobe didn't say when an official fix would be released, but according to the company, computer users can mitigate the Flash issue by downloading the release candidate mentioned above. The Acrobat and Reader issue can be addressed by "deleting, renaming, or removing access to the authplay.dll file" that ships with those products, Adobe said. This will, however, cause a nonexploitable crash or error message if a user opens a PDF file that contains SWF content. The .dll file is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat, Adobe said.
The complete security advisory is available here.