Adobe Flash Flaw Could Give Attackers Full Control

Less than a week after security researchers warned of a vulnerability in two Adobe programs that could allow hackers to compromise a PC comes yet another critical exploit that could hijack your desktop. This time, attackers have targeted Adobe's Flash animation software. According to iDefense Labs, remote exploitation of the vulnerability in the Flash player could allow an attacker to execute arbitrary code with full user privileges. That means anything you could do with your PC, the attacker could, too. "To exploit this vulnerability, a targeted user must load a malicious Shockwave Flash file created by an attacker," iDefense Labs said. "An attacker typically accomplishes this via social engineering or injecting content into a compromised, trusted site." Adobe's Black Eye Adobe already has a black eye because of a zero-day vulnerability in Acrobat Reader that has attracted a lot of attention in the press and the security community, according to Andrew Storms, director of security operations for nCircle. The network security and compliance automation firm works with companies like Safeway, U.S. Cellular, and Archer Daniels Midland. "Some people are asking why is it taking Adobe so long to release a patch for the Acrobat bug when third-party companies have already released mitigation steps and a few have even released their own Acrobat patches," Storms said. "Meanwhile, apart from a simple security notice on its Web site, Adobe has been conspicuous by their silence." The optimistic view is that Adobe has been busy working on a Flash update and ensuring a high level of quality in its Acrobat patch. Storms said we have little choice but to take the optimistic view because anything else would further degrade Adobe's reputation with an information-security community already surprised by its lack of response. "At this point, Adobe needs to do two things in a hurry," Storms said. "First, they need to provide mitigation advice for both the known Acrobat zero-day vulnerability and this new Flash advisory. Second, they need to begin an advance notification program so enterprises can plan for Adobe patches." Adobe's Response Adobe wasn't immediately available for comment, but Tuesday afternoon confirmed the vulnerability in its Flash software on all platforms. The vulnerability is in Adobe Flash Player 10.0.12.36 and earlier versions. Adobe rates the vulnerability as critical. Adobe recommended users update to the most current version of Flash Player for their platform. For users who cannot update to Flash Player 10, Adobe has developed a patched version of two earlier versions that are available for download. However, there is still no update on the Adobe Reader and Acrobat flaws. Adobe said in an earlier security advisory that it will make an update for Adobe Reader 9 and Acrobat 9 by March 11. That is still two weeks away. Meanwhile, attackers are actively exploiting the flaw. Adobe's only advice: Disabling JavaScript in Reader and Acrobat may protect users. "Disabling JavaScript provides protection against currently known attacks," Adobe said in its Feb. 19 security advisory. "However, the vulnerability is not in the scripting engine and, therefore, disabling JavaScript does not eliminate all risk."