Remote-Execution Vulnerability In Adobe Flash 9.0.124.0
A remote code execution vulnerability has been confirmed in Adobe Flash for Windows and is believed to also affect versions that run on Linux and Apple’s OS X, according to an advisory from VeriSign’s iDefense Labs. There is no patch yet but Adobe is expected to release one soon, said iDefense Intelligence Director Rick Howard.
The exploit occurs as a result of the way Flash handles Shockwave files. By creating a particular object and then deleting it, attackers can gain arbitrary execution control over uninitialized memory locations where the invalid object resided, iDefense said. The technique involves the use of so-called heap molding and heap spraying, allowing memory contents to be overwritten with attack code.
“iDefense considers this vulnerability to be of HIGH severity due to the possibility of arbitrary code execution with minimal user interaction,” Howard wrote in an email.
The vulnerability affects version 9.0.124.0 of Flash. The advisory didn’t say whether version 10 is also susceptible.
The vulnerability is separate from a security bug in Adobe’s Acrobat Reader program that is currently under attack. The company only notified users of the threat last week, after independent security researchers released their own advisory. According to IDG News, the attack has been in the wild for more than six weeks.
Credit: The Register
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.