Adobe released a handful of patches this week to address serious security vulnerabilities. The most relevant update for the vast majority of users is the patch for Adobe Flash Player, but IT admins should also be aware of the updates for ColdFusion and Flash Media Server.
Adobe is supposed to be on a scheduled quarterly update cycle, but this handful of updates comes about two months ahead of the next scheduled release--which is supposed to be October 12, 2010.
The APSB10-16 is titled "Security Update available for Adobe Flash Player", but the flaw identified in the security bulletin actually affects both Adobe Flash Player, and Adobe AIR. The Flash versions impacted include 10.1.53.64 and earlier for Windows, Mac, Linux, and Solaris, and the affected Adobe AIR versions include 126.96.36.19910 and earlier for Windows, Mac, and Linux.
The vulnerabilities in Adobe Flash Player and Adobe AIR could be exploited to cause the application to crash, or potentially allow an attacker to take control of the affected system--enabling the attacker to install or execute additional malicious software on the PC. At this time, though, Adobe is not aware of any exploits in the wild.
These Adobe updates don't impact the patches Adobe has projected for next week. The patches expected next week address critical security issues with Adobe Reader on Windows, Mac, and UNIX that were revealed at the recent Black Hat security conference.
Adobe has become a primary target for malware developers. As Microsoft has steadily improved efforts to secure its operating systems and applications against attack, the relatively ubiquitous Adobe products have drawn attention. Adobe's secure coding efforts are not at the same level of maturity as Microsoft, providing ample opportunity for exploit.
Adobe announced that it is building sandboxing into the next major release of Adobe Reader as a security control to guard against emerging threats. Of course, other applications have relied on sandboxing for some time, and alternative PDF reading software like FoxIt Reader and Nuance PDF Reader already have better security controls than the native Adobe application.
Malware developers are wily and are increasingly adept at luring gullible users to click on malicious links and open malicious files--often PDF files--by ripping headlines from major breaking news. A recent McAfee report illustrates that the malware threat is bigger than ever and continuing to grow.
IT admins need to be aware of identified vulnerabilities--particularly in applications like Adobe Flash and Adobe Reader that exist on virtually every system regardless of operating system platform, and assess and implement critical security patches on a timely basis.