Flash bugAdobe is warning its users about a critical vulnerability in Flash that affects Adobe Reader and Acrobat, as well. The bug can be used by remote attackers to run arbitrary code and Adobe officials said that they’ve already seen some attacks that are targeting the vulnerability.

The vulnerability in Flash Player affects Reader and Acrobat, both of which include Flash functionality, but it does not affect Reader X. Adobe officials said that Reader X’s Protected Mode sandbox would prevent successful exploits. The company plans to have a patch for the affected products ready by next week for all platforms, including Windows, Mac, Linux, Android and Solaris.

“This vulnerability (CVE-2011-0609) could cause a crash and
potentially allow an attacker to take control of the affected system.
There are reports that this vulnerability is being exploited in the
wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft
Excel (.xls) file delivered as an email attachment. At this time, Adobe
is not aware of attacks targeting Adobe Reader and Acrobat. Adobe
Reader X Protected Mode mitigations would prevent an exploit of this
kind from executing,” Adobe said in its advisory on the bug.

“This kind of structure is a perfect setup for targeted attacks. And
not surprisingly, targeted attacks have indeed been reported,” Kaspersky Lab malware researcher Roel Schouwenberg wrote in a blog post about the bug. “During testing, the particular exploit was not able to run
successfully on Windows 7. It did work on Windows XP. It’s likely though
a ROP-exploit would be able to exploit this vulnerability under Windows
7.”

Even though the new Flash bug apparently wouldn’t be exploitable in Reader X, Adobe plans to update that application in its scheduled quarterly Reader patch release in June.

Categories: Malware, Vulnerabilities, Web Security

Comments (6)

  1. Anonymous
    1

    So Adobe only has one programmer and they’re on vacation?  If this is such a big deal, you would think it wouldn’t take a week to fix it… Just like 64 bit flash, there must just be one programmer who just says, I don’t feel like it…

  2. Anonymous
    2

    @ anon above, you do not appreciate how complex these Adobe / Macromedia apps are. Even if identifying the issue and creating a fix only took a short time, there is still QA on all affected platforms that must be completed.

    If you are unhappy with Adobe, rather than whine, just switch. There are many alternatives to Adobe’s PDF viewer that even run on Windows and Mac.

    For flash, the alternatives are a bit more limited. Gnash (not sure if ported to Windows or Mac) will play a youtube video, but most other flash content will not run, and many video sites will not work. There is another whose name escapes me, but last I tried it, it was less suitable as a replacement than Gnash.

    On the bright side, flash seems to be falling out of favor, and on its way to gooing away.

  3. Anonymous
    3

    @Anon above

    1.  Gnash will not play Youtube video and will also not play a lot of stuff.  At least in my setup. There are reasons for this, mostly political, which are related to the “thou shalt not reverse engineer Flash” which means that the Gnash devs do not even have Flash installed.  More than anything, this explains why Gnash sucks so much more than Flash sucking, because functionality cannot be tested against Flash itself directly.

    2. And yes, there are alternatives to Reader.  More and more people are and have switched away from Reader because of the security problems and the fact that Reader is one of the biggest if not /the/ biggest steaming pile of manure when it comes to software.  It would be nice, however, if I could get a PDF reader that didn’t suck from the same company that publishes the standard.  

  4. Anonymous
    4

    Wow!  Why does everyone assume that an announcement of a flaw is a bad thing?  Um did it never occur to you that identifying the flow is a huge step to fixing it?  Except, perhaps for Apple.  They don’t bother to look for flaws.  They rarely announce flaws.  They like to make it seem like their pathetic excuse for security is perfect.  

    At least Microsoft and Adobe have become experts on security.  They respond quickly and patches are released quickly.  That used to not be the case, but out of necessity, it’s rung true.

    @Anon above

    So Flash is fading out???  Any proof of that?  I don’t see any evidence of that.  You can uninstall flash on a computer and several websites show an alternate version, but in general, Flash is still there.  They are just hiding it from you so that the website looks professional with or without flash.

    Do you even know what Flash does?  I bet you have no idea.  You hear of Flash and you think of videos and advertisements.  That’s only a tiny portion of what Flash does for the web.  HTML5 is no where near the capabilities of Flash.  It will take decades for it to catch up at the rate W3C is moving.  And by then, Flash will have evolved so much farther.  The most recently release adds an introduction of 3D acceleration capabilities that would allow a Flash developer to produce games that rival the HD graphics of the XBOX 360.  Let’s see HTML5 do that without a plugin.  Good luck with that.

  5. Anonymous
    6

    OMG, Can all of you whine loud enough?  Yes flash has flaws, it was created by a human and we all have flaws.  This is called progress, release, fix, modify, release.  All software companies face this and it will never go away in our lifetimes.  Happen less often, yes, but never go away.  We adapt  as we learn and use what we learn to try and move forward and do better.

    Remember, if there was nothing bad to offset the good everything becomes grey.

     

Comments are closed.