December 3, 2009, 2:16PM
Exploit Released for Adobe Illustrator Zero Day Flaw
Comment 
Adobe's
security response team is scrambling to deal with the release of
exploit code for what appears to be a critical zero-day flaw in the
Adobe Illustrator CS4 software product.
The vulnerability is caused due to an error in the parsing of Encapsulated Postscript Files (.eps) and can be exploited to corrupt memory when a user opens a specially crafted .eps file. Successful exploitation allows execution of arbitrary code.
The flaw is confirmed in version CS3 13.0.0 and CS4 14.0.0. Other versions may also be affected.
Here is a link to exploit code that works against Windows XP Service Pack 3.
An overlong string as DSC comment (more than 42000 bytes) results in a direct EIP overwrite. Exception is first-chance so the program will never crash. At the moment of the redirection EAX and ESI are user-controlled.
Adobe director of product security Brad Arkin says the company is investigating the public report. Mitigation guidance is expected soon on the company's PSIRT blog.
In the interim, Secunia recommends that Illustrator users avoid opening files from untrusted sources.
Recommended Reads
Commenting on this Article is closed.
Today's Most Popular
Most Commented Stories
-
UPDATE: Looking For a 'FireSheep' Moment, Researchers Lay Bare Woeful SCADA Security (16)
-
Video: New Banking Trojan Caught Breaking CAPTCHA (4)
-
Apple Ships Huge Set of Patches for OS X (3)
-
Update: Verisign Admits To Security Breaches in 2010 (3)
-
Report Warns of Woeful Readiness For Cyber Attacks Globally (2)
Newsletter Sign-up
Take Our Poll
Follow Threatpost
 |  |  |  |
| Tumblr |
