Adobe rolls out Flash patches to fix zero-day flaw

Adobe has confirmed that it has begun pushing out a patch for its Flash, Acrobat and Reader platforms and will have the process completed by the end of the day.

Last week Adobe warned users of a zero-day flaw that was being used in attacks against the three applications in the wild. The attacks used a special Excel file to subvert Flash in a complicated way Brad Arkin, Adobe's senior director of product security and privacy, told V3.co.uk.

"Some Flash problems are just a one line fix, but this wasn't one of them," he said.

"This was a more complicated, state-based attack. It wasn't just a matter of finding a hole in the data - the malware has to trick the machine into interpreting objects incorrectly for it to work."

The number of attacks Adobe has seen in the wild was fewer than be counted on one hand he said, and there had been no reports of the exploit being used anywhere else since then. They were highly targeted attacks against a small number of companies he said.

The patches for Reader and Acrobat have already been issued and the fix for Flash will be pushed out this afternoon, once the engineering team gets the final golden build he confirmed.

The bulk of the time taken by Adobe's security team wasn't in fixing the actual problem in the code, but in testing the fix. Adobe had to run the new code on over 60 different operating systems and on over 100 different language platforms.

Part of this testing process allowed Google to issue an update for its Chrome browser early Arkin said. Once Adobe had fixed the initial problem and tested it on Google's three platforms, then it was handed over to the search company which pushed out immediately.

"We've got a similar system with Mozilla where Firefox checks for outdated software and we're open to other working arrangements," he said.

"Updaters are now more commonly being built into operating systems; that seems where things are going."