Adobe Fixes Zero-Day Bug In Flash Player, Anticipates Reader Fix
Adobe issued a security advisory last week, warning users about the critical flaw that has already paved the way for hackers to launch malicious attacks against Adobe Flash Player for Windows. Adobe offered few details about the Flash Player attacks. However, it said the related security flaw enables attackers to take complete control of an affected system or cause a user's computer to completely crash, which occurs after they open an infected media file.
The critical vulnerability occurs in fully patched versions of Flash Player 10.1.82.76 and earlier versions for Windows, Mac, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android.
The same vulnerability can also be found in fully patched versions of Adobe Reader 9.3.4 and earlier versions for Windows, Mac and Unix and Acrobat 9.3.4 and earlier versions for Windows and Mac, although no attacks have yet been found exploiting the error in those systems.
Monday's security update fixed one of two zero-day flaws that have been a thorn in Adobe's side over the last few weeks. Adobe also plans on releasing a fix during the week of Oct. 4 for another, sophisticated Adobe Reader zero-day attack, distributed via e-mail on infected PDFs, which had the ability to evade numerous anti-virus programs.
The exploit, which Adobe categorized with the highest severity rating of "critical," was distributed via a phishing attack, indicated by the e-mail subject line "David Leadbetter's One Point Lesson."
The attack affects the latest versions of Acrobat and Reader, Adobe Reader 9.3.4, 8.2.4 and earlier versions for Windows, Mac and UNIX, as well as Adobe Acrobat 9.3.4 and earlier versions for both Windows and Mac.
Essentially, the Reader vulnerability stems from a boundary error that exists within the font parsing in CoolType.dll, which triggers a stack-based buffer overflow glitch when attackers trick a user into opening a malicious PDF file, typically through some kind of social engineering scheme.
Like the Flash Player bug, the Reader vulnerability could cause users' computers to crash and enable an attacker to execute arbitrary code allowing them to completely take over an infected computer once users open a malicious PDF file.
Adobe recommended that users update their systems to the latest version of Flash Player in order to protect themselves from possible attack.
However, until a patch is released for the Reader flaw, users are simply advised to be wary of clicking on PDF attachments in e-mail, especially if they come from unfamiliar sources.