Want CNET to notify you of price drops and the latest stories?

Adobe patches Flash hole

Adobe issues patch for Flash player vulnerability as worries over unpatched Adobe Reader hole mount.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

Adobe released a patch for a Flash player hole this week that could allow an attacker to remotely take control of a computer.

The vulnerability is critical for one for Adobe Flash Player and earlier versions, the company said in an advisory.

To exploit the vulnerability, a targeted user must load a malicious Shockwave Flash file, which can be done by social engineering the user or injecting malicious content into a compromised, trusted Web site, according to an advisory from security firm iDefense.

Internet Explorer and Firefox plug-ins can be used to temporarily block and unblock Flash content, iDefense said.

While Adobe was releasing news about the Flash vulnerability, more information was surfacing about the hole in Adobe Reader 9 and Acrobat 9 that was announced last week. A patch is due by March 11.

Security company Sourcefire, which released a patch of its own, told IDG News Service that it has found evidence of attacks exploiting the vulnerability for more than six weeks.

There were two critical vulnerabilities in Adobe Reader last year that resulted in remote code execution exploits, according to an entry on the IBM Internet Security Systems blog.

"Currently, we have only witnessed this [new] exploit in highly targeted attacks and have not detected this exploit utilized heavily in the wild yet," the blog entry said. "But it is unknown how long it will be before we see this spread quickly through malicious websites. Milw0rm just released proof-of-concept exploit code. So, we don't expect it to take long before this exploit moves beyond targeted attacks to malicious exploit toolkit integration and widespread exploitation."