Adobe Warns Of Reader, Flash Player Flaws
Adobe issued an advisory Friday warning users that a proof-of-concept file had been publicly posted to the Full Disclosure mailing list, demonstrating in detail how the Adobe Reader flaw could lead to a full scale denial of service attack.
As with other Adobe glitches, this one also enables hackers to unleash a denial of service or remote code execution attack via an infected PDF file, typically sent over e-mail. In these attacks, hackers typically trick victims into opening malicious files with some kind of social engineering tactic. The users then execute malware onto their computer once the files are opened.
Adobe said that it was currently investigating the issue. Thus far, there are no known attacks in the wild taking advantage of the Reader flaw, although security experts contend that could likely change now that the exploit has been made public.
Until Adobe develops a fix for the flaw, users currently running Adobe Reader 9.2 or higher or Adobe Reader 8.1.7 or higher can employ the JavaScript Blacklist Framework as a temporary workaround. Enterprises can use the framework as a tool to blacklist and prevent exploitable APIs from executing within their network.
This time, however, Adobe Acrobat appears to remain unaffected, Adobe said.
Meanwhile, Adobe warned users Thursday of critical memory vulnerabilities in Flash Player that could enable miscreants to launch malicious code intended to crash victims' computers or take complete control of their entire system.
Specifically, the vulnerabilities occur in Flash Player 10.1.85.3 and earlier versions for Windows, Mac, Linux and Solaris as well as the mobile version, Adobe Flash Player 10.1.95.1 for Android.
Adobe recommends that users running the older versions of Flash Player update to Flash Player 10.1.102.54, available from the Adobe Flash Player Download Center, as soon as possible in order to reduce the risk of attack. Users who can't install the update can access a patched version of Flash Player 9, version 9.0.289.0, which also can be downloaded from the Adobe Download Center.
Adobe said that an update for Flash Player for Android would become available Nov. 9.