Adobe today released a new Adobe Product Security Advisory [APSA 11-02], detailing a new zero-day vulnerability in its Flash Player. According to Adobe, attempts to exploit the flaw could cause a system crash, or allow the attacker to take control of the affected system. At present, the known exploits are directed at Windows systems, and use Flash content embedded in a Microsoft Word document, delivered as an E-mail attachment. All recent versions of the player are vulnerable; Adobe lists the following affected versions:
- Adobe Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
- Adobe Flash Player 10.2.154.25 and earlier for Chrome users
- Adobe Flash Player 10.2.156.12 and earlier for Android
- The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems
Adobe also says that, although the vulnerability exists in Reader X for Windows, the Protected Mode feature would prevent its being exploited.
At present, Adobe has not set a date for supplying a fix for this vulnerability. As always, you should be very careful with any E-mail attachments from other than totally-trusted sources. I will post further information on this as I am able to get it.