OS/Platform/Application:

Adobe Acrobat
Adobe Reader
Adobe Flash Player

(on Windows, Mac, Linux, and UNIX systems)

Category: ALERT
Severity: HIGH
Attention: Adobe Products Users, System Administrators, Desktop Support Personnel

Summary: Numerous Internet Security resources are reporting the existence of a vulnerability that affects Adobe Acrobat, Reader, and Flash Player.  The most likely mechanism of exploitation is the opening of a maliciously-crafted PDF file or browsing of a maliciously-crafted web page.  Successful exploitation could result in complete takeover of a vulnerable computer. 

Adobe has released a security advisory that not only confirms the vulnerability but also acknowledges that the vulnerability is currently being actively exploited on the public Internet at this time. 

Recommended Actions: At the time of this writing (8:00 AM 7/23/09) No patch has been made available from the vendor.  According to the Adobe advisory, a staggered deployment of fixes is planned:

"We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009 (the date for Flash Player v9 and v10 for Solaris is still pending). We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows and Macintosh by July 31, 2009 (the date for Adobe Reader for UNIX is still pending)."

Readers are encouraged not to open PDF documents from untrusted sources or to consider the use of an alternative PDF reader if their work requires the frequent handling of such documents.  Users are also encouraged not to browse untrusted websites and to update their antivirus, etc software as soon as possible.

Readers are encouraged to share this alert with family, friends, and associates.

ITS Actions: N/A

Resources:

Adobe Security Advisory:
http://www.adobe.com/support/security/advisories/apsa09-03.html