The flaw, which could cause a crash or allow an attacker to take control of an affected system, is present in the latest version of Adobe Flash Player (10.0.45.2) and earlier for Windows, Macintosh, Linux and Solaris operating systems, Adobe said in a security advisory Friday. The bug also affects the authplay.dll component of Adobe Reader and Acrobat 9 for Windows, Macintosh and UNIX operating systems. The cause of the vulnerability was unspecified.
“There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat,” Adobe said in its advisory.
The flaw currently remains unpatched with no schedule for a fix. It was rated “extremely critical” or a 5 out of 5 by Danish vulnerability tracking firm Secunia.
Adobe has provided a workaround for affected versions of Adobe Reader and Acrobat. Users can mitigate the threat by deleting or renaming the authplay.dll file in Adobe Reader and Acrobat, Adobe said. Doing so could, however, cause an error message or non-exploitable crash when opening certain PDF files.
The authplay.dll file is usually located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.
In addition, a prerelease version of Flash Player 10.1, which is currently available, does not appear to be affected by the vulnerability, Adobe said.