Adobe Flash Player and Adobe Reader/Acrobat are currently vulnerable to exploits being used in the wild. A Security Bulletin has been published for both the Adobe Reader and Adobe Flash Player issues. Both products are going to be patched with an accelerated schedule. Updates should land during the week of October 4th for Adobe Reader and Acrobat. Flash Player will be landing tomorrow September 20, 2010. Google Chrome is already patched if running version 6.0.472.62. The normally scheduled update for October 12th will not be happening as a result of this emergency patching.
Adobe Reader on Windows, Mac, and Unix are affected by this vulnerability as well as Acrobat on Windows and Mac. Adobe Flash player is affected on Windows, Mac, Linux, Solaris, and Android. The vulnerability would allow for remote code execution and an attacker potentially taking control of a system.
The vulnerability stems from a vulnerable DLL called CoolType.dll. For those who can’t wait until October 4th for a fixed Reader, an unofficial patch is available to replace the bad DLL with a patched one but Adobe cautions users against taking this route. Renowned IT Security Researcher Didier Stevens seems to be giving the unofficial patch the Ok though:
Took a look at @Ramz_Afzar 's patch. Does as advertised, and nothing more. strcat -> strncat with n = 160.
— Didier Stevens (@DidierStevens) September 16, 2010
64-Bit Flash Player
Finally some good news coming from Adobe, they’re previewing a Flash Player for 64-bit browsers. The 64-bit version is being called Square. It can be used in conjunction with the IE9 Beta and other 64-bit browsers on Windows, Mac or Linux. You can download it from Adobe Labs and read more about it in an Adobe Flash Player blog entry.
Deployment Tip
Brad Arkin tweeted this PDF with deployment tips for Adobe Reader and Acrobat and figured I’d pass it along. You can find it here: http://kb2.adobe.com/cps/837/cpsid_83709/attachments/Acrobat_Reader_Update_QuickKey.pdf