Adobe has posted a security advisory to warn about the vulnerability in its Flash Player.
Adobe’s Product Security Incident Response Team wrote in its blog that the vulnerability could cause a crash and potentially allow an attacker to take control of an affected system.
More ominously, it continued: “There are reports that this vulnerability is being actively exploited in the wild against Flash Player on Windows.”
The team has promised a fix but there is a delay. Although it said “we are in the process of finalising a fix”, it is obviously a euphemism for “working on” as the first updates will not be available until the end of this month.
Apart from Windows, other affected versions comprise Macintosh, Linux and Solaris running Flash Player 10.1.82.76 or earlier. Adobe Flash Player 10.1.92.10 for Android is also vulnerable. A patch will be available during the week of 27 September.
Adobe Reader, up to version 9.3.4 for Windows, Mac and Unix, is also mentioned along with version 9.3.4, and earlier versions, for Windows and Mac. Fixes for these will appear around a week later.
Apple's chief executive Steve Jobs will feel vindicated. Until last week, he resisted allowing Flash on Apple products, despite complaints from the user base. In an open letter last April, he detailed his reasoning. At one point he wrote: “Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know first hand that Flash is the number one reason Macs crash.”
This is the third Adobe security advisory to be issued this year about actively exploited vulnerabilities. The previous one was last Wednesday, less than a week ago, and a workaround using a toolkit from Microsoft has been released but, as yet, no fix.