RealTime IT News

Adobe Flash, PDF Hit by Zero-Day Flaw

If you use Adobe's Flash or Acrobat Player applications -- and you probably do -- you might want to be especially careful on what you click for the next week or so.

Adobe (NASDAQ: ADBE) has issued a critical zero-day advisory for flaws that affect its popular Flash Player (v9.0.159.0 and v10.0.22.87) software for Windows, Macintosh and Linux operating systems as well as Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX.

According to Adobe's advisory, this vulnerability could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe also noted in its advisory that it is aware of attacks in the wild for the vulnerability and that an update is currently targeted for release by July 30.

The graphics software giant isn't the only vendor seeing occurrences of the Flash and PDF exploits; the Internet Storm Center (ISC) at SANS also reported observing a proliferating attack.

"At the moment, there is a low number of malicious sites serving the exploit, but we confirmed that the links have been injected in legitimate Web sites to create a drive-by attack, as expected," ISC handler Bojan Zdrnja blogged.

Zdrnja noted in his analysis of the vulnerability that the actual security bug is with code shared by both the Flash Player and the Adobe Reader/Acrobat Player. In his view, that cross-code issue means that the attack could occur by way of a Flash file embedded in a PDF document or in Flash directly.

Adobe's advisory offers a workaround for Adobe Reader/Acrobat Player users that involves deleting the "authplay.dll" file included in those applications. That is the file that enables the Flash content to play in the PDF document.

For Flash Player users, Adobe is advising that users be cautious when browsing untrusted sites. It also noted that it's in contact with antivirus vendors on the issue.

Antivirus vendors, however, might not necessarily be up to speed quite yet.

SaaS security vendor Purewire said that an analysis of how different antivirus tools treat the flaw found that as of late Wednesday, few antivirus vendors, if any, could actually detect the problem. Purewire pointed to Virustotal, a free service that scans malware to show how the different antivirus engines can, or can't, detect malware.

Purewire has also identified the root cause of the security flaw as being related to a bug that has been in Adobe's bug-tracking system since December 2008.

Adobe admitted that the bug that Purewire identified is in fact the same issue that leads to the vulnerability.

"We learned yesterday afternoon that the same issue we are fixing, as described in the recent advisory, was logged into Adobe's [database] as a crash bug," Brad Arkin, director of product security and privacy at Adobe, told InternetNews.com. "It wasn't labeled as a security issue and as a result, did not initiate our Incident Response process. We briefly removed public access to the original bug report, scrubbed sensitive details that would enable attackers to develop new exploits, and reposted the bug publicly with new information."

Though a week might seem like a long time to wait a week for a patch to be available, at least one researcher doesn't think that's the case.

"Given the size of the vendor and the relative complexity of the Flash Player software, I think that a patch before the end of the month is an impressive response," Paul Royal, principal researcher at Purewire, told InternetNews.com.

The news marks the latest effort by Adobe to clamp down on security threats and vulnerabilities. To encourage users and corporate IT to apply security patches more promptly, Adobe recently began following Microsoft's example by introducing a regular update cycle for its Adobe Reader and Acrobat products.

Even with the regular updates, however, Adobe was at the top of a recent list from security vendor F-Secure of application that users had not patched properly.

Update adds comments from Arkin and Royal.