On Friday, Adobe released a security advisory announcing a zero-day exploit found in specific Adobe Flash Player versions. Tagged as critical, the vulnerability (CVE-2010-1297) causes the application to crash. Potentially, the underlying vulnerability could also be used to run arbitrary code such as downloading/dropping malicious files onto an affected system.
Currently, all released 10.0.x and 9.0.x versions of Flash, including the current version (10.0.45.2), are vulnerable. In addition, because the vulnerable component is also used by Adobe’s PDF products, both Acrobat and Reader versions 9.3.2 and earlier that belong to the 9.x family are also affected. The previous 8.x versions of Acrobat and Reader are not affected.
Malicious files exploiting this vulnerability have already been encountered by Trend Micro and are now detected as TROJ_PIDIEF.WX.
No date for a patch has been announced by Adobe. However, Adobe offers two potential workarounds, one for Flash and another for Acrobat/Reader. In the former case, users can download the 10.1 version, which is already available for download, although officially it has not been released for public use and remains at Release Candidate status.
For the latter, users can manually delete the vulnerable component. However, when this is done, all Flash content within .PDF files cannot be opened. Users may see a crash or error message although the exploit will not be triggered.
Trend Micro protects users via the Smart Protection Network™, which detects and deletes TROJ_PIDIEF.WX via the file reputation service.
Update as of June 8, 2010, 9:15 a.m. (UTC)
Attacks that use this vulnerability are now out in full force. TROJ_PIDIEF.WX downloads TROJ_SMALL.WJX and drops BKDR_PDFKA.W onto affected systems. The latter can be used for pay-per-install (PPI) schemes that cybercriminals favor.
Update as of June 10, 2010, 7:33 a.m. (UTC)
Adobe has released a product update to resolve the security issue found in Adobe Flash Player. Users are thus advised to immediately update their software. Meanwhile, updates for Adobe Reader and Acrobat 9.3.2 for Windows, Macintosh, and Unix are expected to be released by June 29, 2010.
Trend Micro Deep Security™ and Trend Micro OfficeScan™ already protect business users against the Adobe Products authplay.dll Remote Code Execution Vulnerability via the Intrusion Defense Firewall (IDF) plug-in if their systems are updated with the IDF rule number 1004202.