Adobe has issued updates for the Flash Player on all platforms to address a vulnerability being exploited in the wild. Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android are vulnerable. Adobe categorizes this as a critical issue.
The new version is 10.1.95.10 on Android and 10,1,85,3 on other platforms. Google started pushing the fixed version of Flash Player integrated in to the Chrome browser earlier. According to Adobe, this was because testing Google’s 3 configurations was a simpler, shorter process than the 60 versions Adobe distributes.
Adobe’s Acrobat and Reader programs integrate Flash functionality, so all Flash updates must also result in updates to these programs. Adobe has scheduled a release for this purpose and for another unpatched vulnerability for the week of October 4.
Adobe reports that this Flash vulnerability is being exploited in the wild against Flash Player on Windows. Other Flash platforms, Reader and Acrobat are vulnerable, but Adobe is not aware of any attacks exploiting this vulnerability against them.
Monday’s patch closes one of two known zero-day vulnerabilities being used to attack Adobe users. As previously reported by The Register, a highly sophisticated attack spreading by email attempts to install malware on Windows machines by tricking recipients into opening a booby-trapped PDF file. The underlying stack overflow vulnerability affects non-Windows versions of Reader as well. Adobe has said a patch for that bug will be released the week of October 4.
As usual, Windows-based Flash users who surf the web with Firefox or another browser other than Internet Explorer will have to install the patch at least twice to be fully protected. Users are reminded to uncheck the box hawking free software such as McAfee Security Scan when updating.
You can download the latest Flash player from Adobe at the link below:
Release date: September 13, 2010
Last updated: September 20, 2010
Vulnerability identifier: APSA10-03
CVE number: CVE-2010-2884