9:08 pm (UTC-7) | by Jonathan Leopando (Technical Communications)
This week is turning out to be a busy one for zero-day exploits. Days after such a bug was found in Firefox, it’s Adobe’s turn to have its products under the gun.
According to the official Adobe security advisory, both the Flash and Acrobat/Reader product lines have been confirmed vulnerable to this latest problem. All current Flash versions are affected, regardless of platform. The same is mostly true for Acrobat and Reader—all released 9.x versions of Acrobat and Reader are affected though older 8.x versions are not. Neither is the Android version of Reader affected. Adobe states that attacks against Acrobat and Reader are in the wild but that no exploits have been found (so far) hitting Flash.
If exploited, the vulnerability causes a system to crash and potentially allows random code execution. More details on this particular flaw have not yet been released but it appears to be very similar to the June zero-day vulnerability. As in the June attack, the vulnerable component lies in Flash. Acrobat and Reader were just both affected because they include what is, in effect, an embedded Flash Player in the file authplay.dll.
For Acrobat and Reader, Adobe’s official advise is to remove the vulnerable component. Instructions to do so may be found at the Adobe page linked to earlier. Mitigation for Flash is only possible with Firefox, as certain extensions such as Flashblock and NoScript allow users to selectively load Flash files, protecting themselves from this flaw.
Official fixes are due by November 9 for Flash and by November 15 for Acrobat and Reader.
Update as of October 29, 2010 7:21 PM UTC
Trend Micro offers protection for this flaw for enterprise users of Deep Security and OfficeScan via the Intrusion Defense Firewall (IDF) plug-in if their systems are updated with the IDF rule number 1004113.
Update as of November 1, 2010 12:48 PM UTC
Trend Micro detects the zero-day exploit as TROJ_PIDIEF.SMQA.
TROJ_PIDIEF.SMQA drops a file which is detected as TROJ_WISP.SMA, which in turn connects to certain URLs to download more malicious files. The said URLs however are inaccessible as of this writing.
Share this article