Last Thursday,I posted a note here about a new Adobe Security Advisory [APSA 10-05], warning of a newly-discovered critical vulnerability in Adobe’s Flash Player. (This vulnerability has been assigned CVE-2010-3654.) The vulnerability also affects the Reader and Acrobat products, since they incorporate an embedded Flash player.
The folks over at the SANS Internet Storm Center are now confirming that there is an exploit for this flaw being circulated on the Internet. At present, the attack is in the form of Flash content embedded in a PDF document. Adobe says that they are working on a fix, which they expect to be available by November 9 for Flash Player, and by November 15 for Reader and Acrobat. They may speed this up, but you might want to consider implementing the threat mitigation steps, described in the Security Advisory, which I mentioned in my earlier post.
I will post updated information here as I receive it.
Update Wednesday, 3 November, 12:10 EDT
Adobe has now updated the Security Advisory [APSA 10-05] to say that the fix for Flash Player, on Windows, Mac OS X, Linux, and Solaris, will be available by tomorrow, November 4.