SillyDog701

[Antony]

Adobe is still working on a fix for this vulnerability (CVE-2011-0609) at time of posting.

Adobe has published a security advisory in response to a critical flaw found in Flash Player. The vulnerability affects Flash Player version 10.2.152.33 and earlier across all major platforms including Windows, Mac OS X, Linux, Solaris, and Android, and also impacts the authplay.dll component included in Adobe Acrobat and Adobe Reader X. Adobe Flash Player 10.2.154.18 and earlier for Chrome is also affected.

A successful exploit of the Flash vulnerability could crash the system, or allow the attacker to take complete control of the affected system.

Adobe reports that the flaw is being actively exploited in the wild in targeted attacks using a malicious Flash file (SWF) embedded in a Microsoft Excel (XLS) e-mail file attachment. Adobe stresses that the Protected Mode sandbox in Reader X would prevent the malicious exploit from executing.

An update for Flash Player, Acrobat, and some versions of Reader is expected to be available sometime next week. Unlike Android devices, Apple’s iOS devices continue to eschew Flash, and are among the few devices immune from this latest security flaw. Apple also recently took the step of removing Flash as a standard install on some of its notebook lines.

UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 AlexaToolbar/alxf-2.0 Firefox/3.6.15

[Antony]

Google has updated Chrome, patching this flaw in the browser's copy of Flash Player. This move makes Chrome the browser to the patch this Adobe Flash Zero-Day Exploit. Users of Internet Explorer (IE), Firefox, Safari and Opera won't receive a Flash update from Adobe until next week.

After updating Chrome to version 10.0.648.134, the browser reports that it's running Flash Player 10.2.154.25, a step up from the 10.2.154.18 bundled with the last update of the browser.

Adobe confirmed that Chrome's integrated copy of Flash includes the patch for the zero-day vulnerability.

"As part of our collaboration with Google, Google receives updated builds of Flash Player for integration and testing," said Adobe spokeswoman Wiebke Lipps today. "Once testing is completed for Google Chrome, the release is pushed via the Chrome auto-update mechanism."

Chrome 10.0.648.134 with the patched Flash Player can be downloaded can be downloaded for Mac OS X, Windows and Linux from Google's Web site. Users already running the browser will be updated automatically.

UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 AlexaToolbar/alxf-2.0 Firefox/3.6.15

[Antony]

Adobe has issued a patch for all platforms affected by the critical vulnerability in Flash Player 10.2.152.33 and earlier versions. Adobe has issued a new bulletin (CVE-2011-0609) explaining the flaw and the steps that users need to take in order to install the patch.

PC users who have been affected by the issue enabled the exploit by opening an Excel file that contained a malicious Flash file. When activated, the code in the corrupted Flash file could cause a system to crash, which could then potentially allow an attacker to take control of the infected system through code execution.

Adobe recommended updating to following versions:
Adobe Player to version 10.2.153.1
Flash Player for Android to 10.2.156.12
Google Chrome to 10.2.154.25 (Flash Player version)
AIR to version 2.6

Latest version of Adobe Flash Player can be downloaded at http://get.adobe.com/flashplayer/

Adobe also recommend applying latest security updates for Adobe Reader and Acrobat, security bulletin for Adobe Reader and Acrobat is also available.

UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 AlexaToolbar/alxf-2.0 Firefox/3.6.15