Posted by Ryan Naraine
Adobe has finally issued an almost-definitive statement on the reports of a zero-day attack targeting its flagship Flash Player, suggesting (kinda) that the vulnerability is already patched.
In a progress report posted to the official Adobe PSIRT blog, David Lenoe stops short of making definitive statements on the actual vulnerability, using phrases like “appears to be” and “should not be vulnerable” but it’s clear that Adobe believes these attacks are tied to an issue that was patched with Flash Player 220.127.116.11.
From Lenoe’s update:
The exploit appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 18.104.22.168 (CVE-2007-0071). This exploit does NOT appear to include a new, unpatched vulnerability as has been reported elsewhere – customers with Flash Player 22.214.171.124 should not be vulnerable to this exploit. We’re still looking in to the exploit files, and will update everyone with further information as we get it, but for now, we strongly encourage everyone to download and install the latest Flash Player update, 126.96.36.199.