Adobe plugs Flash-player hole
Published: 26 Feb 2009 11:29 GMT
Adobe released a patch for a Flash player hole this week that could allow an attacker to remotely take control of a computer.
The vulnerability is critical for one for Adobe Flash Player 10.0.12.36 and earlier versions, the company said in an advisory.
To exploit the vulnerability, a targeted user must load a malicious Shockwave Flash file, which can be done by social engineering the user or injecting malicious content into a compromised, trusted website, according to an advisory from security firm iDefense.
Internet Explorer and Firefox plug-ins can be used to temporarily block and unblock Flash content, iDefense said.
While Adobe was releasing news about the Flash vulnerability, more information was surfacing about the hole in Adobe Reader 9 and Acrobat 9 that was announced on 20 February. A patch is due by 11 March.
Security company Sourcefire, which released a patch of its own, told IDG News Service that it has found evidence of attacks exploiting the vulnerability for more than six weeks.
There were two critical vulnerabilities in Adobe Reader last year that resulted in remote code execution exploits, according to an entry on the IBM Internet Security Systems blog.
"Currently, we have only witnessed this [new] exploit in highly targeted attacks and have not detected this exploit utilised heavily in the wild yet," the blog entry said. "But it is unknown how long it will be before we see this spread quickly through malicious websites. Milw0rm just released proof-of-concept exploit code. So, we don't expect it to take long before this exploit moves beyond targeted attacks to malicious exploit toolkit integration and widespread exploitation."
Credit: Adobe patches Flash hole from CNET News
Did you find this article useful?
5 out of 5 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
