As if the outstanding vulnerability in Adobe’s Reader and Acrobat products were not excess to our requirements, another vulnerability, this time in Adobe’s Flash Player, has been reported, and is apparently being exploited. Flash Player versions 10.1.82.76 and earlier are affected, for all platforms (Mac OS X, Linux, Windows, and Solaris), as is version 10.1.92.10 for Android. This vulnerability, which Adobe rates as Critical, also affects Reader and Acrobat, versions 9..3.4 and earlier, for Windows, Mac OS X, and Linux/UNIX. Further details are in Adobe’s Security Advisory [APSA10-03]. The vulnerability has been assigned CVE-2010-2884.
Adobe indicates, in the Security Advisory, that it intends to release a patch for this vulnerability for Flash Player during the week of September 27. They have not provided any mitigation advice or work-arounds.
Adobe has also updated their Security Advisory [APSA10-02] for the earlier vulnerability, indicating that they plan to release a patch for Reader and Acrobat during the week of October 4. This patch will also include a fix for this latest vulnerability [APSA10-03].
I will post updates here when I get any new information.
Update Saturday, 18 September, 23:45 EDT
Adobe has updated its Security Advisory [APSA 10-03] to indicate that a patch will be available for Flash Player on Monday, September 20, 2010, for all platforms (Windows, Mac OS X, Linux, Solaris, and Android. A patch in already included with the Flash Player built into the latest version of Google Chrome, 6.0.472.62.