In what's become an all-too-familiar refrain, Adobe has released yet another security bulletin, APSA 10-03, giving very few details about a new zero-day hole in Flash. The hole apparently exists not only on Windows systems, but also Mac, Linux, Solaris, and Android.
The zero-day security flaw "could cause a crash and potentially allow an attacker to take control of the affected system." Adobe further advises, "There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows."
[ Also on InfoWorld: Adobe and other developers got a huge boost last week when Apple announced looser restrictions on its programming tools | Take your security to task with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
In a different twist, the same security hole also bedevils Adobe's Acrobat and Reader, according to Adobe, leaving them both exposed to the same kind of exploit. Blame the Flash player embedded in Reader.
Adobe says it plans to have a fix available for Flash during the week of Sept. 27.
The company also says it'll be able to patch Acrobat and Reader the week of Oct. 4. According to security bulletin APSA 10-02, that's the same time Adobe promises to have a fix for the Acrobat and Reader zero day I talked about last week in my Tech Watch post "Dangerous Adobe Reader zero-day raises the bar." It leaves me wondering how the two are related.
Adobe's playing this one very close to the chest -- I've seen no details about the hole on any of the usual hacking sites. The security bulletin says, "Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available." It could be -- but if true, none of that information has leaked, at least as of this writing.
The authoritative SANS Internet Storm Center doesn't pull any punches:
Keep an eye out for this one folks. It will take a bit for the anti-virus, IDS/IPS and other vendors to catch up and detect the malware that exploits the vulnerability. Although by that point the box affected may well be compromised as most detect after the exploit has already taken place. Since the vendor has released the advisory after being notified that exploits are already occurring against Windows boxes it is recommended to explore workarounds for mitigation, detection of already compromised hosts, and cleanup
Flash -- it's the player that keeps on giving.
This article, "Another day, another Flash zero-day vulnerability," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.