In association with heise online

25 February 2009, 11:49

Adobe patches critical hole in Flash Player, but PDF hole remains open

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Adobe has released an update for its Flash Player that fixes a critical security vulnerability that could allow an attacker to remotely take control of a users system. The vulnerability can be found in versions and earlier of the player. Version for Linux is also vulnerable.

For an attack to be successful, a user must either load a malicious Shockwave Flash (SWF) File into Flash Player, or simply be lured to a site containing a malicious SWF file. The update fixes the buffer overflow issue that could potentially allow an attacker to execute arbitrary code and take control of the affected system. The update also resolves an input validation issue that leads to a Denial of Service (DoS) attack and a Windows only issue, where Flash could potentially contribute to a Clickjacking attack.

The Flash Player does have a built in automatic update checker, however, it only checks for updates once every 30 days. To protect yourself Adobe recommends that all Flash Player users update to the newest version, manually. The current version of the Flash Player is Users can check which version of the Flash Player they currently have installed by simply visiting the about Adobe Flash page. An iDefense report on the issue, documents the length of time that it has taken Adobe to patch this vulnerability. Initial contact was made on the 25th of August, 2008 and the issue has only now been fixed.

A critical hole in Adobe Reader and Acrobat from last week, however, still remains to be patched and no additional information has been provided by Adobe. The Reader vulnerability has been exploited in-the-wild since the 9th of January, according to Sourcefire. The initial Adobe disclosure site indicates that a patch should be released to fix the critical hole in version 9 of Reader and Acrobat on the 11th of March, followed by an update to versions 7 and 8 on the 18th of March.

As the current in-the-wild exploit reportedly uses embedded JavaScript, a preventative fix is to simply disable JavaScript in the Adobe Reader settings. However, Secunia are advising that the exploit is possible, even with JavaScript disabled. They have managed to test the exploit, without the use of any JavaScript, leaving using an alternative PDF reader as the only option, until the exploit is fixed. To further protect from such an attack, users should also disable the PDF extensions in browsers and only open PDF files from trusted sources.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit