Adobe has revealed a critical zero day flaw in Adobe Flash – the second in less than a week. The vulnerability extends even to Adobe Flash on the Android mobile OS, supporting at least one of the reasons laid out by Steve Jobs for not allowing Flash on the iPhone and iPad.
The critical flaw could be exploited to crash the affected system, or may even allow an attacker to gain access and control it to execute additional malicious software. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player, but Adobe is not aware of any attacks exploiting it against Adobe Reader or Acrobat thus far.
The latest 0 day vulnerability affecting Adobe’s Flash Player extends to Adobe Flash on Android mobile OS. Mobile platforms are generally less protected when an issue such as this emerges. Smartphones often attach to untrusted wi-fi networks, and there are many less warnings and safeguards while surfing the web.
Compared to traditional PC environments, where browsers have extensive security checks built in so that malicious code cannot run, mobile device browsers are still at an early stage. Although the Android sandbox architecture should offer some protection, an exploit could still potentially access data within the browser that might include stored credentials.
Adobe has stated that it is aware of reports of active exploitation and that a patch should be ready within the next two weeks. Risk averse users should consider uninstalling Flash Player from their devices. Mind you, with the rate at which 0 days are appearing in Adobe applications recently, these users may decide – like Apple – that Flash isn’t worth the risk.