In association with heise online

14 September 2010, 11:20

Attackers exploit additional zero-day vulnerability in Adobe Flash and Reader

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Adobe Logo Adobe has issued a warning about yet another unpatched hole in its Flash Player and Reader (including Acrobat) products that attackers are already using to infect Windows systems. Just last week, Adobe warned of a hole in Reader that criminals are also using to spread malware on Windows systems.

The new hole in Flash Player not only affects Windows, Mac OS X and Linux, but also, for the first time, Google's open source Android mobile operating system. Specifically, Adobe says that the vulnerability is found in Flash Player for Windows, Mac OS X and Linux, Flash Player for Android, as well as Adobe Reader and Acrobat 9.3.4 for all supported platforms. The vendor says that, at the moment, the hole is only being exploited in Flash Player.

An update for Flash Player is planned for September 27, with updates for Reader and Acrobat scheduled to follow on October 4. For the handling of PDFs at least, users can either switch to alternative viewers or protect themselves by, for example, switching off JavaScript in Reader. While the hole does not use JavaScript itself, the exploits in circulation use it.

Microsoft's Enhanced Mitigation Experience Toolkit (EMET) can also be used to limit the effects of exploits. Adobe even recommended this approach over the weekend. EMET enables various protective functions in compiled binaries, such as data execution prevention (DEP) and address space layout randomization (ASLR). While the Reader exploit discovered last week can get past DEP and ASLR, EMET also includes other such functions as Export Address Table Access Filtering to block injected shell code's access to certain APIs. EMET also tries to prevent "heap spraying."

EMET can therefore make an exploit ineffective on Windows XP systems even if they do not support ASLR. In a recent test, The H's associates at heise Security confirmed that the exploit no longer works under Windows XP with Reader 9.3.4 protected by EMET. Further testing is needed to reveal whether EMET also provides protection against the new exploit in combination with Flash Player. For instructions on installing and configuring EMET, see "Use EMET 2.0 to block Adobe Reader and Acrobat 0-day exploit" from Microsoft's Security Research & Defense team.

Some users are reporting that they are unable to download EMET due to server issues. Affected users can directly download the file and the provided user guidePDF (direct download).


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit