Adobe confirms Flash zero-day bug in PDF docs
Hackers exploiting flaw already in the wild, says iDefense
Computerworld - Adobe is investigating a critical vulnerability in its Flash format that is currently being exploited by hackers using malicious PDF documents, according to the company's security team and outside researchers.
Adobe said little in a short entry to its security blog late Tuesday. "Adobe is aware of reports of a potential vulnerability in Adobe Reader and Acrobat 9.1.2 and Adobe Flash Player 9 and 10," said Brad Arkin, the company's director for product security and privacy. "We are currently investigating this potential issue."
Reader and Acrobat 9.1.2 are the most current versions of those applications.
An Adobe spokesman early Wednesday confirmed that the vulnerability was an issue within Flash content that is inserted into a PDF (Portable Document Format) file. Users can drop Flash movies into PDF files, for instance.
VeriSign's iDefense said it spotted an in-the-wild attack exploiting the Flash zero-day, according to a message posted to Twitter yesterday. "iDefense recently investigated a targeted attack using [an] embedded zero-day Flash exploit inside a PDF file," the security intelligence company said.
Adobe has had its share of security problems this year, particularly with Reader, the popular PDF viewer. In mid-March, for example, it plugged several holes in Reader, including one that had been exploited by hackers since early January. Then in both May and June it followed that with further fixes to quash another Reader zero-day and patch another 13 bugs in the viewer.
Security was also at issue this week when Danish bug tracker Secunia noticed that Adobe continues to provide an outdated edition of Reader for download. Yesterday, Adobe reacted to Secunia's report by saying it was reevaluating how its software updater operated.
iDefense did not immediately respond to a request for more information on its findings, while Adobe's spokesman said details of the Flash-PDF vulnerability would be posted on the company's security blog when they are available.
- Retired US airport body scanners fail to spot guns, knives
- 'Reveton'ransomware adds powerful password stealer
- Many Chrome browser extensions do sneaky things
- Kicking the stool out from under the cybercrime economy
- Symantec folds nine Norton products into one service
- Why would Chinese hackers want US hospital patient data?
- Senator questions airlines' data privacy practices
- About 4.5M face risk of ID theft after hospital network hacked
- SDS still young, but very much on the rise
- Startup builds intrusion prevention system for home networks
Read more about Security in Computerworld's Security Topic Center.
- Learn More About Peer 1 Hosting's Mission Critical Cloud Mission Critical Cloud from Peer 1 Hosting is enterprise-ready, creating a perfect point of adoption whether you need an off-premise solution for development
- What Makes a Cloud Solution Truly Enterprise-Grade? Future enterprise cloud capabilities will evolve from five core elements...
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade.
- Peer 1's Mission Critical Cloud: Your Cloud, Your Way Peer 1 Hosting's Mission Critical Cloud offers the ultimate in flexible customization of infrastructure, resources and support. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!