Adobe flaw was known about for seven months

The so-called zero day vulnerabilities discovered in Adobe’s Flash Player last week were actually known about for seven months, according to new reports.

Paul Royal, a principal researcher at web security service provider Purewire, is credited with first noticing that the flaw in Flash was actually logged into Adobe's bug and issue management system on December 31 last year.

Adobe will be embarrassed about the revelations its security response team knew about the vulnerability for months, especially as it was originally misdiagnosed as a “data loss corruption” issue, according to a ZDnet report.

The firm has now moved swiftly to address the issue, however, announcing that patches will be available by July 31 for Windows, Mac and Linux users.

“A critical vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems,” acknowledged Adobe in a security advisory.

"This vulnerability (CVE-2009-1862) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows.”

In the meantime, Adobe is recommending that users delete, rename, or remove access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x, in order to mitigate the threat for those products.