There are multiple reports emerging of two new vulnerabilities in Adobe Flash that could lead to remote code execution. There’s little information about the exact nature of the bugs available right now, and Adobe has not released any advisories or information about them either.
The vulnerabilities were disclosed on Tuesday by Russian vulnerability research company Intevydis in a post to the Daily Dave mailing list run by Immunity Inc. Intevydis does not provide information to vendors on vulnerabilities it discovers in their products, and the message on the mailing list had few details, other than to say that the exploits bypass ASLR and DEP and work against Windows 7 and older versions.
“Flash exploit makes use of two vulnerabilities, bypasses DEP/ASLR and works on Win7/WinXP with FF, Chrome and IE. OSX version is coming,” Evgeny Legerov of Intevydis said in the message.
The news of the Flash vulnerabilities comes close on the heels of Adobe’s disclosure of critical flaws in Reader and Acrobat, which are being used in targeted attacks right now. Adobe is planning to issue patches for some of the affected products next week, while the others will be patched next month in the scheduled patch release. That vulnerability has been used in targeted attacks recently, and there are reports that defense contractors are among the main targets.
Adobe officials said they have not received any information from Intevydis on the Flash bugs.
“Adobe is aware of the InteVyDis announcement and has reached out to the researcher. We would welcome any details so we can verify and address the vulnerability, but until we have additional information, there is nothing we can do beyond continuously monitoring the threat landscape as always,” an Adobe spokesperson said in an email.
The SANS Internet Storm Center said that the new Flash bugs appear to affect all of the major operating systems on which Flash runs.
“There is no patch or workaround for the vulnerabilities. As far as I know there have not been any IDS/IPS or anti-virus signatures released yet for the exploit. On the good side this one does not yet appear to have been exploited in the wild. The major operating systems that run Flash all appear to be vulnerable. The vulnerability impacts are full compromise as the user running Flash via remote arbitrary code execution, typically delivered from a malicious web page with a crafted SWF file. Little else is known about the specific nature of the vulnerabilities,” Adrien de Beaupre wrote.
