Zero Day Vulnerability Hits Adobe
Bug could allow an attacker to trick an Acrobat user into opening a "specially crafted" PDF file; Adobe plans to release fix next week.
A new zero-day vulnerability, first disclosed on Monday, affects the latest versions of Adobe Acrobat and Reader. The bug might allow an attacker to remotely exploit machines.
"Analysis shows that malicious PDF documents invoke a function call to Doc.printSeps() to take advantage of the vulnerability. Proof of concept code plants shell code in memory using heap spraying to exploit the vulnerability." said Websense, which first reported the flaw to Adobe.
More Cloud Insights
- The Untapped Potential of Mobile Apps for Commercial Customers
- Secure Cloud: Taking Advantage of the Intelligent WAN
- IDC Analyst Connection: Helping the Enterprise Address Cloud Strategies Through Business and IT Necessity
- Discover How to Bring Trust to the Cloud: Strong Authentication for SaaS Applications
According to vulnerability research firm Vupen Security, which first publicly disclosed the critical vulnerability, attackers could exploit the flaw "to crash an affected application or compromise a vulnerable system by tricking a user into opening a specially crafted PDF file."
Vupen said it confirmed the vulnerability affects Adobe Reader version 9.4 running on either Windows 7 or Windows XP SP3. In addition, it said Reader version 8.2.5 (and prior), Adobe Acrobat version 9.4 (and prior) and Adobe Acrobat version 8.2.5 (and prior) are also affected.
Adobe acknowledged a "potential" vulnerability and said that "arbitrary code execution has not been demonstrated, but may be possible." It also said that while Reader was affected, Acrobat was not.
Websense said that, to date, no attacks using the exploit have been seen in the wild.
Adobe is set to release patched versions of Adobe Reader and Acrobat versions 9.x the week of Nov. 15.
As perimeters melt away, security goes beyond encryption, authentication, and monitoring. We also need to ensure privileged users aren't betraying trust. In this report, we'll cover ways to track who did what to which system, and when. Download the report here (registration required).