Daily cyber threats and internet security news: network security, online safety and latest security alerts
February 24th, 2009

Remote-Execution Vulnerability In Adobe Flash

A remote code execution vulnerability has been confirmed in Adobe Flash for Windows and is believed to also affect versions that run on Linux and Apple’s OS X, according to an advisory from VeriSign’s iDefense Labs. There is no patch yet but Adobe is expected to release one soon, said iDefense Intelligence Director Rick Howard.

The exploit occurs as a result of the way Flash handles Shockwave files. By creating a particular object and then deleting it, attackers can gain arbitrary execution control over uninitialized memory locations where the invalid object resided, iDefense said. The technique involves the use of so-called heap molding and heap spraying, allowing memory contents to be overwritten with attack code.

“iDefense considers this vulnerability to be of HIGH severity due to the possibility of arbitrary code execution with minimal user interaction,” Howard wrote in an email.

The vulnerability affects version of Flash. The advisory didn’t say whether version 10 is also susceptible.

The vulnerability is separate from a security bug in Adobe’s Acrobat Reader program that is currently under attack. The company only notified users of the threat last week, after independent security researchers released their own advisory. According to IDG News, the attack has been in the wild for more than six weeks.

Credit: The Register

Share this item with others:

More on CyberInsecure:
  • Potential Vulnerability In Adobe Flash
  • Critical Security Vulnerability Patched In Adobe AIR 1.5
  • Adobe Flash Player SWF File Zero-Day Remote Code Execution Vulnerability
  • Critical Flash Player, Acrobat, Reader Vulnerability Exploited In The Wild
  • Adobe Fixes Clickjacking Vulnerability In Flash Player 10

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Remote-Execution Vulnerability In Adobe Flash

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.