Criticality level Extremely critical
Impact System access
Where From remote
Solution Status Unpatched
A vulnerability has been reported in Adobe Reader/Acrobat, which can be exploited by malicious people to compromise a user’s system.
The vulnerability is caused due to a vulnerable bundled version of Flash Player (authplay.dll).
For more information:
Successful exploitation allows execution of arbitrary code.
The vulnerability is reported in version 9.3.2 and earlier 9.x versions for Windows, Macintosh, and UNIX.
NOTE: The vulnerability is currently being actively exploited.
Everything I am reading seems to indicate this is actually a vulnerability in the version 10.0.45.2 of Flash and there is a common component that is also included in reader. So, this will probably require patches for both products before it is addressed.
A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat. This advisory will be updated once a schedule has been determined for releasing a fix.
Affected software versions
Adobe Flash Player 10.0.45.2, 9.0.262, and earlier 10.0.x and 9.0.x versions for Windows, Macintosh, Linux and Solaris
Adobe Reader and Acrobat 9.3.2 and earlier 9.x versions for Windows, Macintosh and UNIX
Update – June 8
As of now, a patch (for FLASH) is expected from Adobe on June 10. The Acrobat/Reader patch is not expected until June 29.
Adobe said on Monday that it will have a patch available for the newly discovered critical vulnerability in Flash ready by June 10 for most platforms. The patches for Adobe Reader and Acrobat, which also are affected by the flaw, won’t be released until June 29.