Vulnerabilities / Threats
9/14/2010
01:39 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Adobe Facing Two Zero-Day Vulnerabilities

A warning on Monday about a vulnerability affecting Flash, Acrobat, and Reader echoes another software flaw disclosed last week.

Strategic Security Survey: Global Threat, Local Pain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full photo gallery)
Adobe on Monday warned that a critical vulnerability in the most current version of its Flash Player is being actively exploited on Windows computers.

Adobe's Reader and Acrobat software are also affected by this vulnerability but the company said that it isn't aware of active attempts to exploit the flaw in either of these two programs at the moment.

"This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in an e-mail.

The vulnerable software includes: Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android; Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX; and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh.

Adobe said that it plans to release a patch to address the flaw in its Flash Player software during the week of September 27, 2010. Fixes for its Reader and Acrobat software are planned for the week of October 4, 2010.

This marks the second zero-day vulnerability affecting Adobe's Acrobat and Reader software. On Wednesday, Adobe warned about a different bug affecting Acrobat and Reader. This vulnerability (CVE-2010-2883) also could cause a crash and also is being actively exploited.

Affected software includes: Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX; and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh.

Adobe plans to deliver a fix for CVE-2010-2883 during the week of October 4, 2010, with the other fix for Acrobat and Reader.

In March, security company F-Secure said that Acrobat/Reader was the application that was most frequently targeted by malware in 2009.

Adobe is planning to add a security "sandbox" to the next major Windows release of its Reader software later this year.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8802
Published: 2015-01-23
The Pie Register plugin before 2.0.14 for WordPress does not properly restrict access to certain functions in pie-register.php, which allows remote attackers to (1) add a user by uploading a crafted CSV file or (2) activate a user account via a verifyit action.

CVE-2014-9623
Published: 2015-01-23
OpenStack Glance 2014.2.x through 2014.2.1, 2014.1.3, and earlier allows remote authenticated users to bypass the storage quote and cause a denial of service (disk consumption) by deleting an image in the saving state.

CVE-2014-9638
Published: 2015-01-23
oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a WAV file with the number of channels set to zero.

CVE-2014-9639
Published: 2015-01-23
Integer overflow in oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (crash) via a crafted number of channels in a WAV file, which triggers an out-of-bounds memory access.

CVE-2014-9640
Published: 2015-01-23
oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted raw file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.