PROPRIETARY TOOLMAKER Adobe has been forced to build patches for its free (PDF) Reader and Acrobat PDF creation software because of a critical flaw in its Flash Player.
The critical patches will address a problem that Adobe has already fixed in Flash Player version 10.0.42.34 and earlier. Adobe claims that the vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests.
Adobe's severity rating system lists the Flash Player patch as critical. This means that if exploited, it could allow malicious code to execute, potentially without the user being aware.
The company says the vulnerability could enable "Flash applets to circumvent certain security functions in order to access other websites without obtaining the user's permission. A specially crafted Flash file on a malicious web page could read data, including banking data or similar, displayed in other open browser windows."
Adobe recommends that users of Flash Player 10.0.42.34 and earlier update to 10.0.45.2, while users of Adobe AIR version 220.127.116.110 and earlier versions update to 18.104.22.1680. Flash users can use Adobe's Flash Player Download site or auto-update in the player when prompted. Affected AIR users can download from the Adobe AIR Download site.
The flaw apparently is so critical that Adobe will be releasing patches for Reader and Acrobat outside of its standard security update cycle on February 16.
At the movement there are no known exploits for these flaws but the popularity of Adobe's Flash Player, Reader and Acrobat make them such prime targets that it likely won't be long before some bright spark finds a way. µ
Someone could be in for a NASty surpise
An assault course on the senses
Boasting Bionic boosting