Attackers exploit additional zero-day vulnerability in Adobe Flash and Reader
Adobe has issued a warning about yet another unpatched hole in its Flash Player and Reader (including Acrobat) products that attackers are already using to infect Windows systems. Just last week, Adobe warned of a hole in Reader that criminals are also using to spread malware on Windows systems.
The new hole in Flash Player not only affects Windows, Mac OS X and Linux, but also, for the first time, Google's open source Android mobile operating system. Specifically, Adobe says that the vulnerability is found in Flash Player 10.1.82.76 for Windows, Mac OS X and Linux, Flash Player 10.1.92.10 for Android, as well as Adobe Reader and Acrobat 9.3.4 for all supported platforms. The vendor says that, at the moment, the hole is only being exploited in Flash Player.
Microsoft's Enhanced Mitigation Experience Toolkit (EMET) can also be used to limit the effects of exploits. Adobe even recommended this approach over the weekend. EMET enables various protective functions in compiled binaries, such as data execution prevention (DEP) and address space layout randomization (ASLR). While the Reader exploit discovered last week can get past DEP and ASLR, EMET also includes other such functions as Export Address Table Access Filtering to block injected shell code's access to certain APIs. EMET also tries to prevent "heap spraying."
EMET can therefore make an exploit ineffective on Windows XP systems even if they do not support ASLR. In a recent test, The H's associates at heise Security confirmed that the exploit no longer works under Windows XP with Reader 9.3.4 protected by EMET. Further testing is needed to reveal whether EMET also provides protection against the new exploit in combination with Flash Player. For instructions on installing and configuring EMET, see "Use EMET 2.0 to block Adobe Reader and Acrobat 0-day exploit" from Microsoft's Security Research & Defense team.