Critical Adobe Flash, Reader 0-day flaw exploited in the wild

A zero-day flaw affecting 10.0.x and 9.0.x versions of Adobe Flash Player – including the current version, which is 10.0.45.2 – has been spotted being exploited in the wild. The flaw also affects Adobe Reader and Acrobat 9.3.2 and earlier 9.x, since the vulnerable authplay.dll component ships with those products.

Adobe released on Friday the security advisory detailing the particulars of the critical vulnerability, saying that it “could cause a crash and potentially allow an attacker to take control of the affected system,” and that “there are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat.”

While waiting for the fix to be pushed out, Adobe advises users to switch to Flash Player 10.1 Release Candidate, which does not appear to be vulnerable, or “deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x.” This action mitigates the threat, but users will be unable to open PDF files with Flash content because the program will crash or they will witness an error message.