CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
July 22nd, 2009

Confirmed Zero-day Flash Vulnerability In Latest Adobe Reader And Acrobat 9.1.2, Adobe Flash Player 9 And 10

Adobe is investigating a critical vulnerability in its Flash format that is currently being exploited by hackers using malicious PDF documents, according to the company’s security team and outside researchers.

Adobe said little in a short entry to its security blog late Tuesday. “Adobe is aware of reports of a potential vulnerability in Adobe Reader and Acrobat 9.1.2 and Adobe Flash Player 9 and 10,” said Brad Arkin, the company’s director for product security and privacy. “We are currently investigating this potential issue.”

Reader and Acrobat 9.1.2 are the most current versions of those applications.

An Adobe spokesman early Wednesday confirmed that the vulnerability was an issue within Flash content that is inserted into a PDF (Portable Document Format) file. Users can drop Flash movies into PDF files, for instance.

VeriSign’s iDefense said it spotted an in-the-wild attack exploiting the Flash zero-day, according to a target=”new” message posted to Twitter yesterday. “iDefense recently investigated a targeted attack using [a] embedded zero-day Flash exploit inside a PDF file,” the security intelligence company said.

Adobe has had its share of security problems this year, particularly with Reader, the popular PDF viewer. In mid-March, for example, it plugged several holes in Reader, including one that had been exploited by hackers since early January. Then in both May and June it followed that with further fixes to quash another Reader zero-day and patch another 13 bugs in the viewer.

Security was also at issue this week when Danish bug tracker Secunia noticed that Adobe continues to provide an outdated edition of Reader for download. Yesterday, Adobe reacted to Secunia’s report by saying it was reevaluating how its software updater operated.

iDefense did not immediately respond to a request for more information on its findings, while Adobe’s spokesman said details of the Flash-PDF vulnerability would be posted on the company’s security blog when they are available.

Credit: ComputerWorld.com

Share this item with others:

More on CyberInsecure:
  • Critical Flash Player, Acrobat, Reader Vulnerability Exploited In The Wild
  • Buffer Overflow Critical Vulnerabilities In Adobe Reader And Acrobat
  • Exploit Posted For Adobe Reader PDF Zero-day Vulnerability In ‘getAnnots()’ Javascript Function
  • Unpatched 0-day PDF Flaw Harnessed To Launch Targeted Attacks
  • Potential Vulnerability In Adobe Flash

    • Posted in Adobe, Software, Vulnerabilities | Print This Post Print This Post

    This entry was posted on Wednesday, July 22nd, 2009 at 2:26 pm and is filed under Adobe, Software, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Confirmed Zero-day Flash Vulnerability In Latest Adobe Reader And Acrobat 9.1.2, Adobe Flash Player 9 And 10

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »