Adobe released a security advisory and announced a zero-day exploit found in specific Adobe Flash Player versions. The vulnerability (CVE-2010-1297) could be used to run arbitrary code. This means that the malicious files could be downloaded or dropped on the affected system.

During our daily research we found some malicious PDF files which are exploiting this vulnerability to spread malicious files. All versions of Flash which are widespread are vulnerable, this means versions 10.0. and 9.0. and the currently released version 10.0.45.2 are vulnerable.

There is a workaround for the Reader and Acrobat 9 to delete the “authplay.dll”, after this file is deleted, Acrobat and Reader will crash if a PDF with Flash will be opened. For the Flash Player there is a Release Candidate with the version 10.1 which does not contain this vulnerability.

Avira is protecting from this exploit without an update. The exploit is detected by our Engine as HTML/Malicious.PDF.Gen.

Thomas Wegele
Virus Researcher