The current zero-day attacks against Adobe Flash Player are not quite zero-day after all. According to new information, Adobe's security response team knew about the vulnerability since December 31, 2008 (see image below) but it was misdiagnosed as a "data loss corruption" issue.
When word of the attacks surfaced this week, Adobe quickly locked access to the bug ticket with a note that it was "reclassified as a security bug."
(Click image for full size. Credit @Shirkdog)
Once it got wind of the attacks, which exploit Flash Player within rigged PDF documents, Adobe's security response process kicked into overdrive and the company released separate advisories to offer temporary mitigation.
The company now plans to release patches on July 30th and 31st for Windows, Mac and Linux users.
According to Sourcefire's Lurene Grenier, there are at least two separate vulnerabilities that are being exploited in the wild. Adobe's advisory only mentions "a critical vulnerability" so it's not quite clear if everything will be fixed next week.
In the meantime, be sure to follow Adobe's advice and delete, rename, or remove access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x. This mitigates the current attack vectors.
Firefox users can simply disable the Flash Player plug-in until Adobe releases its patches.
This misdiagnosis of a serious security vulnerability is an embarrassment for Adobe, a company that has been struggling to clean up its image with a major security-themed operations overhaul (podcast).