Adobe scrambles to squash another zero-day vulnerability

Acrobat, Flash Player, and Reader susceptible to vulnerability that can give hackers control over affected machines

Adobe is rushing to fix yet another zero-day vulnerability, this time affecting versions of Flash Player, Reader, and Acrobat on Windows, Mac, Linux, and Solaris. The vulnerability, the company reports, can cause affected systems to crash and allows attackers to take control of them.

"There are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat 9.x. Adobe is not currently aware of attacks targeting Adobe Flash Player," the company reported in a security bulletin issued today.

Adobe says it is working on fixes for the vulnerabilities: The update for Flash Player 10.X is expected by Nov. 9, and the update to Reader and Acrobat 9.4 and earlier 9.x versions should arrive the week of Nov. 15. In the meantime, the company offers mitigations, which amount to deleting, renaming, and/or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x.

The news certainly doesn't help Adobe's already tarnished reputation for rolling out vulnerable software. Apple CEO Steve Jobs infamously denounced Adobe over the insecurity of Flash. Meanwhile, a recent study by security company Secunia found that four of Adobe's popular products -- Reader, Acrobat, Flash Player, and AIR -- were among the 10 most vulnerability-riddled software offerings in use today.

A portion of that dubious distinction can be attributed to the fact that Adobe's products are extremely popular. Malicious malware makers and hackers, after all, prefer to target the most widely used software because it means more potential targets.

Still, there must be a point at which the companies and end-users will lose faith in Adobe products to the point of shunning them in an Apple-esque manner, thus giving would-be competitors are chance to chip away at the company's market share.

This article, "Adobe scrambles to squash another zero-day vulnerability," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.