Adobe finds exploited flaw in Flash Player

security attack

Adobe has reported a serious flaw in its Flash Player and in a component of Reader and Acrobat that, when exploited, could allow an attacker to take control.

The company's developers are having a busy time. This flaw was reported just as Adobe released a large 10-vulnerability patch that included a fix for a previous flaw found in the Shockwave player.

The new vulnerability spreads across many versions of Flash, Reader and Acrobat and the company said that the fix it has started working on will take over a week to be finalised. The latest release, version 10, will be patched after 9 November, the company has promised, and earlier versions will be covered after

15 November.

Until these fixes are released, Adobe advises users to delete or rename the "authplay.dll" file that ships with version 9 of Reader and Acrobat. The applications will still work unless the PDF file contains Flash content. If a Flash component is accessed the application will crash. Instructions for disabling the dll can be found in advisory CVE-2010-3654 on the Adobe site.

Flash Player version and earlier versions are affected on Windows, Macintosh, Linux and Solaris operating systems, as well as and earlier versions for Android.

The flaw also impacts the authplay.dll component in Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and Unix systems, as well as Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh.