Adobe questioned over critical patch update for Flash Player

Adobe has rushed a patch to cover a potential vulnerability in its Flash Player.

It claimed that a specially crafted SWF file could result in a buffer overflow that could allow an attacker to execute arbitrary code on the unpatched system. This could lead to a denial of service attack, mitigate clickjacking issues and cause a potential privilege escalation issue.

The affected versions are Flash Player 10.0.12.36 and earlier versions. Adobe rated it as ‘critical' and recommended users update their players to the newest version or apply the patch.

Sam Masiello, vice president of information security at MX Logic, said: "It was not clear from the advisory as to whether or not there is code in the wild currently exploiting any of these vulnerabilities, although I could not find any other announcements that would lead me to believe that exploit code exists.

"I believe that this begs the question as to why a Flash Player update is being released in advance of any malicious code when verified exploit code is already in the wild for Acrobat and Acrobat Reader? I am all for releasing patches proactively, but I would like to see an explanation from Adobe as well as to why we still have to wait two weeks for the Acrobat [Reader] updates. I don't quite understand the prioritisation here."