Adobe pulls it out ahead of their March 11th “by when” date. The patch for Adobe Flash Player is…wait, what? Adobe is having bad month it appears. Today they released a patch for Flash Player, NOT Acrobat Reader (yet).
From Adobe:
A potential vulnerability has been identified in Adobe Flash Player 10.0.12.36 and earlier that could allow an attacker who successfully exploits this potential vulnerability to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit this potential vulnerability. Additional vulnerabilities have been addressed in this update. Adobe recommends users update to the most current version of Flash Player available for their platform.
The Belgian security site (great reading by the way) Security4all pointed out this interesting tidbit.
Additionally, there is an iDefense report on this issue. What interested me was the Disclosure Timeline:
08/25/2008 – Initial Contact
09/22/2008 – PoC Requested
11/05/2008 – PoC Sent
11/06/2008 – Clarification requested
12/05/2008 – Clarification Sent
12/07/2008 – Additional Clarification Sent
02/19/2009 – Draft bulletin received
02/24/2009 – Coordinated Public Disclosure
Odd timeline.
Adobe Security Advisory
Get yer patch on. NOW!
UPDATE: And yes, thx mubix, one of the affected pieces of software mentioned in the advisory was AIR 1.5.
08/25/2008 – Initial Contact
09/22/2008 – PoC Requested
Ok, Adobe needs to get its act together on vuln response, no real surpise.
09/22/2008 – PoC Requested
11/05/2008 – PoC Sent
That seems quite excessive on the other side though, Normally a research can produce a PoC on demand. Either they had a reason to withhold it for a while or the wires got seriously crossed.