Adobe investigating zero-day bug in Flash

Researchers on Wednesday said they have uncovered attacks in the wild in which malicious Acrobat PDF files are exploiting a vulnerability in Flash and dropping a Trojan onto computers.

The situation could affect tons of users since Flash exists in all popular browsers, is available in PDF files, and is largely operating system-independent.

Any software that uses Flash could be vulnerable to the attack, according to Symantec. Adobe Reader is vulnerable because its Flash interpreter is vulnerable, said Paul Royal, principal researcher at Purewire, a Web security services provider.

In a post on its Web site, Adobe said it "is aware of reports of a potential vulnerability in Adobe Reader and Acrobat 9.1.2 and Adobe Flash Player 9 and 10. We are currently investigating this potential issue and will have an update once we get more information."

"The authors of the exploit have managed to take a bug and turn it into a reliable exploit using a heap spray technique," Patrick Fitzgerald writes on a Symantec Security blog post.

"Typically an attacker would entice a user to visit a malicious Web site or send a malicious PDF via e-mail," he writes. "Once the unsuspecting user visits the Web site or opens the PDF this exploit will allow further malware to be dropped onto the victim's machine. The malicious PDF files are detected as Trojan.Pidief.G and the dropped files as Trojan Horse."

It appears the exploit was first developed about two weeks ago, Royal said. The bug itself has been around since December 2008.

The hole is exploitable on Windows XP and Vista users are protected if User Account Control (UAC) is enabled, Symantec said.

US-CERT offered information about workarounds on its Web site:

• Disable Flash in Adobe Reader 9 on Windows platforms by renaming the following files: "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll" and "%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll".

• Disable Flash Player or selectively enable Flash content as described in the "Securing Your Web Browser" document.

[SwissJay]

Thank goodness for Firefox with Adblock & NoScript... No worries.

[captainabab]

You missed the part where this happens in Adobe Reader - nothing to do with the browser or javascript.

[tm_anon]

Thank goodness for Foxxit Reader on Windows. <br /><br />Even better, I'm so glad I switched to Linux.

[Lerianis3]

Frankly, tm_anon, there have been exploits lately for Linux, so stop with that ****. The fact is that Linux is NO MORE AND NO LESS secure than Windows Vista and 7. It is a LOT more secure than OSX however, which is widely acknowledged as the most insecure system out right now.

[gertruded]

Frankly Lerians3, your comments are pure Microsoft FUD.

[monkeyfun14]

@gertruded<br /><br />And yours are pure Apple FUD so how is what he's doing any different then what you are doing?

[Vegaman_Dan]

How about we just say aa product is as secure as the OEM makes it to be and that they all work to improve it, but there are always times when new issues come up that could not be predicted.

[Williame789]

Finally User Account Control (UAC) do something for our good.

[monkeyfun14]

UAC always protects you from drive by downloads trojan's etc...

[gerrrg]

"The hole is exploitable on Windows XP and Vista users are protected if User Account Control (UAC) is enabled, Symantec said."<br /><br />I think it would be clearer if you split the sentence up: "The hole is exploitable on Windows XP. Vista users are protected if User Account Control (UAC) is enabled, Symantec said."

[Lerianis3]

Vista has been pretty much attack-proof lately, save if you are stupid enough to allow something that appears suddenly and without warning to run.<br />People should just upgrade to Windows 7 in a few months. That will solve most of the virus problems that we are having right now.

[Jack K1]

Wheeeee. I'm so happy Adobe is on top of this.

[Vegaman_Dan]

Why.... why is Flash even being used in a PDF file?

[monkeyfun14]

Beats me

[Lerianis3]

Answer: Because some PDF's have embedded flash objects in them for things like games.

[ebpda9]

How is it a zero-day bug if the exploit was developed around 2 weeks ago, and adobe knew about this since December? I do remember reading about this on cnet some time ago, but why didn't adobe fix this?

[martalli]

At least this Adobe flaw only affects users if they are practicing very poor security practices. With Vista UAC, OSX, or Linux it appears the flaw won't work. Hopefully Adobe can patch this before malware writers can figure out how to compromise one of these systems.

[Nataku4ca]

unfortunately most ppl don't even know what security means... they just think firewall + av

[eiverson]

Busy summer! I wonder what software application will be under attack next week. <br /> <br />http://www.blueridgenetworks.com/securitynowblog/endpoint_security/adobe-flash-attack-exploit-advanced-zero-day-computer-protection-required

[Hokulea]

There seems to be a never ending train of issues with both Flash and Acrobat/Reader.<br /><br />Only three months ago I purchased an edition of Adobe CS4. When I run Secunia PSI, it shows the following CS4 components as having issues with Flash plug-ins. There doesn't seem to be a solution short of uninstalling the Flash components in the affected apps. I haven't yet contacted Adobe regarding the issues that the Secunia scan identifies.<br /><br />Adobe CS4 components flagged by Secunia PSI v1.5.0.0<br /><br />Adobe AIR Flash 10.x Plug-in<br />Adobe AIR Flash 9.x Plug-in<br />Bridge CS4 Flash 9.x Plug-in<br />Contribute CS4 Flash 10.x Plug-in<br />Device Central CS4 Flash 9.x Opera Plug-in<br />Dreamweaver CS4 Flash 10.x Plug-in<br />Extension Manager CS4 Flash 9.x Plug-in<br /><br />Considering how much CS4 costs to purchase, I'm very disappointed that Adobe isn't doing a better job in dealing with these vulnerabilities. I run Adobe Updater on a regular basis, yet none of these issues have been addressed in the last couple of months. While I don't know for sure if these CS4 components are vulnerable, I think to be safe I must assume that they are.

[baconstang]

I wish I didn't have to read to the end of the article to find it doesn't apply to OSX.