Vulnerabilities / Threats
9/14/2010
01:39 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Adobe Facing Two Zero-Day Vulnerabilities

A warning on Monday about a vulnerability affecting Flash, Acrobat, and Reader echoes another software flaw disclosed last week.

Strategic Security Survey: Global Threat, Local Pain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full photo gallery)
Adobe on Monday warned that a critical vulnerability in the most current version of its Flash Player is being actively exploited on Windows computers.

Adobe's Reader and Acrobat software are also affected by this vulnerability but the company said that it isn't aware of active attempts to exploit the flaw in either of these two programs at the moment.

"This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in an e-mail.

The vulnerable software includes: Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android; Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX; and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh.

Adobe said that it plans to release a patch to address the flaw in its Flash Player software during the week of September 27, 2010. Fixes for its Reader and Acrobat software are planned for the week of October 4, 2010.

This marks the second zero-day vulnerability affecting Adobe's Acrobat and Reader software. On Wednesday, Adobe warned about a different bug affecting Acrobat and Reader. This vulnerability (CVE-2010-2883) also could cause a crash and also is being actively exploited.

Affected software includes: Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX; and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh.

Adobe plans to deliver a fix for CVE-2010-2883 during the week of October 4, 2010, with the other fix for Acrobat and Reader.

In March, security company F-Secure said that Acrobat/Reader was the application that was most frequently targeted by malware in 2009.

Adobe is planning to add a security "sandbox" to the next major Windows release of its Reader software later this year.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-2977
Published: 2015-07-29
Webservice-DIC yoyaku_v41 allows remote attackers to create arbitrary files, and consequently execute arbitrary code, via unspecified vectors.

CVE-2015-2978
Published: 2015-07-29
Webservice-DIC yoyaku_v41 allows remote attackers to bypass authentication and complete a conference-room reservation via unspecified vectors, as demonstrated by an "unintentional reservation."

CVE-2015-2979
Published: 2015-07-29
Webservice-DIC yoyaku_v41 allows remote attackers to execute arbitrary OS commands via unspecified vectors.

CVE-2015-4286
Published: 2015-07-29
The web framework in Cisco UCS Central Software 1.3(0.99) allows remote attackers to read arbitrary files via a crafted HTTP request, aka Bug ID CSCuu41377.

CVE-2015-4290
Published: 2015-07-29
The kernel extension in Cisco AnyConnect Secure Mobility Client 4.0(2049) on OS X allows local users to cause a denial of service (panic) via vectors involving contiguous memory locations, aka Bug ID CSCut12255.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!