updated 04:45 pm EDT, Tue September 14, 2010
Adobe Flash, Reader, Acrobat vulnerable to attack
Adobe outlined a zero day flaw in Adobe Flash that can be used to crash the system it's hosted on or even let an attacker install other malicious software. The problem includes Flash for Android OS devices as well as components, and Flash is the only component Adobe says is being exploited, with no reports of attacks on Reader or Acrobat to date.
Adobe is taking steps to fix this by sharing information with security partners to bring out detection and quarantine methods. Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris and Android are vulnerable, as is Adobe Reader 9.3.4 for Windows, Macintosh and Unix, and Adobe Acrobat 9.3.4 along with earlier versions for Windows and Macintosh.
Concerns exist about what kind of security updates portable Android device owners can expect, as the platform is not as well protected as notebook computers.
Adobe security advisory said it is finalizing a solution to this issue and Flash Player Windows, Mac, Linux, Solaris and Android users can expect a software update the week of September 27. A similar update for Adobe Reader 9.3.4 for Windows, Mac and UNIX, and Adobe Acrobat 9.3.4 for Windows and Mac is due to arrive the week of October 4.
The hole represents one of the first security exploits to affect mobile Flash 10.1 as well as the desktop version and reinforces fears about Flash mentioned by Apple chief Steve Jobs and others. On a mobile device, the plugin ends up creating a vulnerability where one wouldn't exist without the plugin. Security is more of an issue on mobile as many devices with cellular devices are more exposed through an always-on connection and a lack of powerful security software.