Feeling Vulnerable: Adobe, Cisco Stung By Bugs
For Adobe, six vulnerabilities affecting its popular Reader and Acrobat products were discovered in the past two weeks, one of which could be used in cross-site scripting attacks.
Attackers could exploit one group of vulnerabilities by creating rigged PDF files and getting unsuspecting users to open them. These flaws are more dangerous because remote attackers could use them to execute malicious code and take over affected machines, Adobe said in an advisory last week. The advisory noted that a malicious file would have to be loaded in Adobe Reader.
Adobe, San Jose, Calif., assigned its highest threat rating of "critical"—4 on a 4-point scale—to the vulnerabilities. Symantec Deepsight rated the severity of the flaws as 8.3 on a 10-point scale, while Secunia said they were "highly critical"—or 4 on a 5-point scale.
Craig Schugmar, a threat researcher with McAfee's Avert Labs, says the spate of Adobe vulnerabilities is part of an ongoing shift by hackers away from operating system-focused bugs and toward application flaws.
Widely deployed, cross-platform applications are especially attractive to attackers, which means other Adobe products such as Flash and Shockwave also could be targeted, according to Schugmar.
For Cisco, meanwhile, the company is warning customers of denial-of-service vulnerabilities affecting its IOS and Unified Content Center Enterprise products.
In an advisory issued last week, Cisco said its Unified Content Center Enterprise, Unified Content Center Hosted, IP Contact Center Enterprise and IP Contact Center Hosted products are vulnerable to a glitch in the JTapi Gateway service. An attacker could exploit the flaw to get the JTapi Gateway service to restart, a process that takes several minutes and during which time no new connections can be handled, although existing connections wouldn't be cut off, Cisco said.
With IOS, the San Jose-based vendor patched a vulnerability in the Data-Link Switching feature in some versions that could enable attackers to launch denial-of-service attacks, the company also said in its advisory last week.
Data-Link Switching is used to transmit IBM Systems Network Architecture and network basic input/output system traffic over an IP network. On devices running vulnerable versions of IOS, attackers could exploit the flaw remotely without needing to be logged in, although they would need to be able to establish a Data-Link Switching connection to the device, Cisco said.
Using the 10-point Common Vulnerability Scoring System that Cisco recently began using, base scores of 3.3 were issued to both vulnerabilities. However, Symantec Deepsight saw them as more serious, assigning a severity rating of 6.7 to the IOS flaw and 5.6 to the Unified Contact Center flaw.