Adobe Flash 10.1, however – which is available on some platforms – looks to be unaffected by the problem, although the vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe has tacitly admitted that the vulnerability is being actively exploited in the wild against both Adobe Flash Player, and some versions of Adobe Reader and Acrobat.
A patch for the issue is being developed by Adobe, although some industry experts are suggesting that users step back to Adobe Reader/Acrobat v8.x and/or upgrade to Flash Player 10.1 release candidate.
According to Graham Cluley, a senior technology consultant with Sophos, although Adobe has published a way to mitigate the problem for Adobe Reader and Acrobat 9.x for Windows, the workaround is clearly not ideal, since it involves deleting, renaming or removing access to the autoplay file.
Unfortunately, as Adobe says on its website: "users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content". Cluley says this is not a major issue.
"Once again, it sounds as if feature-itis (the technical term for a product suffering from excessive inflation of unnecessary features) could have partly been Adobe's undoing in this example. A simple PDF reader without so many bells and whistles might not have suffered from such exploitation", he said in a weekend security blog posting.