Critical vulnerability in Adobe Flash 10.2 for Windows, Linux, Mac and Android

No stranger to security scares, Adobe is once again at the center of a new potential threat to the company's Flash software for just about every platform; Windows, Linux, Mac and Android (as well as Solaris).

According to a security blog entry by Adobe, the affected software versions are:

  • Adobe Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
  • Adobe Flash Player 10.2.154.25 and earlier for Chrome users
  • Adobe Flash Player 10.2.156.12 and earlier for Android
  • The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems 

A critical vulnerability exists in Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 10.2.156.12 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.

This vulnerability (CVE-2011-0611) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment, targeting the Windows platform. At this time, Adobe is not aware of any attacks via PDF targeting Adobe Reader and Acrobat. Adobe Reader X Protected Mode mitigation would prevent an exploit of this kind from executing.  

While, theoretically at least, a user could gain control of a computer by utilizing this particular security hole, users can reduce the risk by using simple common sense. As BGR reports, hacks against Flash tend to come from embedded code inside a Microsoft Word document. If you get a Word doc in an email from a source you don't know, simply not opening it will help protect you. It's a simple way to help yourself, though admittedly there are users out there who won't be quite so tech savvy.

With Adobe categorizing the issue as 'critical', chances are a fix will arrive sooner rather than later, so don't go panicking just yet.

Report a problem with article
Previous Story

Microsoft's Streetside launches in Europe

Next Story

Opera 11.10 "Barracuda" released

23 Comments

Commenting is disabled on this article.

maybe browsers should do more and make it easier to disable flash and only allow it to run on whitelist sites you trust (as much as you can trust a website)

but i agree, its getting silly now..almost one every other week now.

Wow, this never happens... </sarcasm> Neowin should just put this as a "Sticky" news story since it comes up every few days...

clotz2000 said,
Wow, this never happens... </sarcasm> Neowin should just put this as a "Sticky" news story since it comes up every few days...

I know its sad but it seems like it! :-/

Whats that? You want to make an exploit that compromises ALL operating systems? Impossible! But wait... Adobe may have a solution for you!

if not because of you tube and couple of video sites. i would never use this adobe's piece of crap software. They screwed up the flash when they bought it from macromedia.

Auditor said,
if not because of you tube and couple of video sites. i would never use this adobe's piece of crap software. They screwed up the flash when they bought it from macromedia.

+1

I was thinking these security threats that 'someone could potentially take over your computer' is just dumb. You would have to do something totally stupid for that to happen...PERIOD. if u are a loser who routinely open emails from ppl you dont know that have files atatched, and you're still stupid enough to open them...u deserves what happens next.

These are the same idiots who think nothing bad can ever happen to them and when someone rings the doorbell they simply just open the door and just let a stranger in who could potentially kill them.

Sucks for u if you're that stupid.

One of our users called me because she was trying to load a flash file from an untrusted soruce and it told her she needed to download the more recent version of Flash. She click it and after a few secs it said it installed yet the document still didnt work. I browsed to Adobe website and it said she already had the most recent version. Turns out it was an exploit and every time she clicked it got worse. We had to wipe her whole system.

I always tell people, is a page says u need the most recent version of Flash, to get it directly from Adobe.com. if you still have problems then there is something wrong. Do sit there like a fool and just keep click. yet the fools still do it.

All PC issues when it comes to security have to do with what is bewteen the chair and the keyboard. Cars are made to be as safe as possibly, they only become a threat for the same xact reason. Careless people drive and use PC's...we all have to watch out for them.

The problem is that there are a lot of users that are stupid and fall victim to this. Now their computers are zombies and contributing to all of the Internet spam. It effects you whether it infects you or not.

It's a Zero day, meaning it's being exploited but there is no fix. In this case a bad guy could potentially infect you by you going to ANY website. The bad guy would then have some flash content automatically load on the page, and exploit your unpatched version of flash. At which point you are hosed.

warwagon said,
It's a Zero day, meaning it's being exploited but there is no fix. In this case a bad guy could potentially infect you by you going to ANY website. The bad guy would then have some flash content automatically load on the page, and exploit your unpatched version of flash. At which point you are hosed.

Not exaclty... The reason they were using Word to spread the exploit, is that on Vista or Windows7, IE protected model and Chrome's sandbox and the brokers they use to obtain security would prevent it from working.

TechieXP said,
if u are a loser who routinely open emails from ppl you dont know that have files atatched, and you're still stupid enough to open them...u deserves what happens next.

No, you don't. Not as long as:
1)Computers are advertised as kind of appliances where no computer knowledge is required.
2)You can easily forge the "from" field in an email to make it appear as sent by someone the recipient knows and trusts.
3)You can do (2) massively and automatically using the victims' contact lists.

Most people don't even conceive that an email from a@b.com might not actually come from a@b.com at all, in the same way they trust the "from" number in their phone calls.

No flash here on any of my devices. I was doing a "no flash" experiment and just forgot to install it. I get most of my videos in HTML5 and i'm happy about that

SHoTTa35 said,
No flash here on any of my devices. I was doing a "no flash" experiment and just forgot to install it. I get most of my videos in HTML5 and i'm happy about that

Plase don't forget that HTML5 is not alternative to Flash. It's alternative to Flash videos and maybe "flash websites", but not Flash itself. I recently browsed http://www.kongregate.com/ and http://www.newgrounds.com/ and found many good games, created by talented people using Flash.
Advent of pen doesn't mean that pencil must die.

RealFduch said,

Plase don't forget that HTML5 is not alternative to Flash. It's alternative to Flash videos and maybe "flash websites", but not Flash itself. I recently browsed http://www.kongregate.com/ and http://www.newgrounds.com/ and found many good games, created by talented people using Flash.
Advent of pen doesn't mean that pencil must die.

There are also good HTML5 games around. Heck, you can even play Quake2 in your browser.

HTML5 *is* an alternative to Flash, just not a drop-in replacement for every single piece of Flash content.