Adobe will patch a critical Flash bug on Thursday, but has decided to postpone a fix for an associated flaw in the Reader PDF viewer until the end of the month.
The vulnerability is already being exploited by hackers using rigged PDF documents, several antivirus firms said. Exploit code has also been publicly posted to the Internet.
Adobe acknowledged the bug in Flash, Reader and Acrobat, last week and confirmed that attackers are already putting it to use.
The company promised a patch, but had not set a schedule for its release, until yesterday.
"The security update for Flash Player will be available by June 10, 2010," said Brad Arkin, Adobe's director of security and privacy, in a post to company blog.
"The security update for Adobe Reader and Acrobat will be available by June 29, 2010."
Arkin said his team had considered a rush patch for Reader and Acrobat as well, but rejected the idea because of an impending update already scheduled for July 13, part of Adobe's quarterly patch process for Reader and Acrobat.
"Two patches within three weeks would have incurred too much churn and patch management overhead on our users, in particular for customers with large managed environments," Arkin said.
Instead, Adobe will move up the already-slated July 13 quarterly patch release to June 29, and include a fix for the zero-day flaw in that batch.
Earlier, Adobe had modified its security advisory , first issued last week, to recommend steps that Mac and Linux users could take to help protect themselves against PDF-based attacks. Like the recommendations for Windows users, they involved deleting the 'authplay' component, or moving it from its usual location.
Authplay - on Windows it's dubbed 'authplay.dll', while on the Mac it's called 'authplay.lib' - is the interpreter that handles Flash content embedded within PDF files.
Andrew Storms, the director of security operations at nCircle Security, agreed with Adobe's move.
"I would certainly put Flash on the top of my list to address first," he said.
"The likely attack vectors with Flash would tend to be of fewer human interaction and thus should be tackled first."
Flash attacks could be launched in 'drive-by' attacks that need only entice users to visit malicious websites, which would host malformed media files.
Storms, a frequent critic of Adobe's security failures, also backed Arkin's decision to wait until the end of June to update Reader and Acrobat.
"I can understand the desire to not put out back-to-back-to-back releases inside of two months," he said.
"That would be a drain on Adobe and end users."
"We have confirmed that the attack involves 'Trojan.Pidief.J', which is a PDF file that drops a backdoor Trojan onto the compromised computer if [Reader or Acrobat] is already installed," said Symantec researcher Joji Hamada.
Symantec has also spotted Flash-based attacks using malicious media files embedded in HTML code on hacker sites.
"The attacks seem limited at this point," Hamada added.
"However, other cyber criminals may jump on the bandwagon to take advantage of the vulnerability in the very near future."
If that happens, Adobe may be stuck between a rock and a hard place, said Storms.
"They aren't giving themselves any space in case the attack vectors switch or increase whereby they may need to accelerate even further," he said.
To make Adobe's job tougher, attack code has gone public, according to HD Moore, chief security officer at Rapid7 and the creator of the well-known Metasploit hacking toolkit.
"Exploit for the new Adobe Flash 0-Day should [be] added to Metasploit soon, based on this public sample," Moore said on Twitter.
For some security experts, Metasploit is an attack barometer; when an exploit for a vulnerability is added to the penetration testing framework, the volume of attacks often jumps.
"All the better reason for Adobe to get that patch process into high gear," said Storms.