Update: Adobe is in the process of finalizing a fix for the reported issue and expects to make available an update for Flash Player 10.2.x for Windows, Macintosh, Linux and Solaris on Friday, April 15, 2011. (PSIRT Blog)
Release date: April 11, 2011
CVE number: CVE-2011-0611
Affected software versions
- Adobe Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
- Adobe Flash Player 10.2.154.25 and earlier for Chrome users
- Adobe Flash Player 10.2.156.12 and earlier for Android
- The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems
There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash file embedded in a Microsoft Word file that is delivered as an email attachment. These attacks are targeting the Windows platform. The results of such an attack would be a crash and potentially allowing an attacker to take control of the affected system.
At this time, Adobe is not aware of any attacks via PDF targeting Adobe Reader and Acrobat. According to Adobe, Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.
Adobe is in the process of finalizing a schedule for delivering updates for affected versions of Adobe products. However, because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, this issue will not be addressed in Adobe Reader X for Windows until the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.
- PSIRT Blog: Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat (APSA11-02)
- Security Advisory: Adobe - Security Advisories: APSA11-02 - Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat