This latest security breach in Adobe's software may bring some red faces at the company, as the hole has been public since December 2008.
Adobe is suffering from a two-fer of security flaws at present, with researchers revealing an attack which utilises both Acrobat Reader and Flash Player to infect targeted PCs with a Trojan horse.
According to an article over on CNet
, the vulnerability exists in Adobe Reader 9.1.2 and Adobe Flash Player 9 and 10 and has been around since at least December 2008 – although it's only within the last two weeks that security researchers have evidence of it being exploited in the wild.
The attack relies on the target opening a specially crafted SWF file, either as part of a web page or an e-mail, or opening a PDF file containing an embedded SWF. Once opened, the flaw is triggered and 'dropper' code executed which installs the malware – in the case of the current exploit, a Trojan horse package.
Both Windows XP and Vista users are potentially at risk, but those using User Account Control in Vista will be protected from the Trojan being installed. For more protection, the US-CERT
organisation suggests renaming the files authplay.dll
from your Adobe Reader directory, or disabling Flash content entirely from within your browser.
Because of the way the attack is coded, it's cross-browser – meaning it's not just Internet Explorer users at risk – although, as usual, Firefox uses equipped with the NoScript
plugin will be safe from attack via untrusted sites.
Adobe's own advisory
states that versions of Flash Player for all operating systems – including Windows, Mac, Linux, and UNIX – are vulnerable to a denial of service attack, although it only appears to be the Windows which is capable of dropping files and being further exploited. The company has also promised a fix for the issue in Flash by the 30th of July, with a fix for the Adobe Reader flaw due the day after.
Are you amazed that Adobe waited more than half a year – and until the flaw was being exploited in the wild – to patch the hole, or is the company triaging its issues as best it can? Share your thoughts over in the forums.