Adobe Systems has released a new Security Advisory [APSA 10-05] for its Flash Player, Reader, and Acrobat software. There is a critical security vulnerability present in all current versions of these packages, on all platforms (Windows, Mac OS X, and UNIX/Linux):
A critical vulnerability exists in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX operating systems, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh operating systems.
Adobe says that:
Adobe Reader and Acrobat 8.x are confirmed not vulnerable. Adobe Reader for Android is not affected by this issue.
The vulnerability is serious, and it appears that is is being exploited currently by Flash content embedded in PDF documents.
This vulnerability (CVE-2010-3654) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat 9.x. Adobe is not currently aware of attacks targeting Adobe Flash Player.
The announcement says that Adobe is working on a fix, and expects to deliver it by the middle of November.
The vulnerability is in a shared (DLL) library, called
authplay.dll on Windows systems,
AuthPlayLib on Mac OS X, and
libauthplay.so.x.y.z on Linux. Mitigation steps are detailed in the Security Advisory, but basically entail renaming, relocating, or removing this library. This will in some cases cause a non-exploitable crash, when a document file using these features (even innocently) is opened.
I will post any updated information on this as I receive it.