Quick Hits

Adobe Reports Zero-Day Vulnerability; No Fix Available Yet

Flaw affects Adobe Flash Player, Reader, and Acrobat; exploits reported in the wild
Adobe is reporting a zero-day vulnerability that could cause system crashes or allow attackers to take control of affected systems.

In an advisory updated today, Adobe says that a "critical vulnerability" exists in Adobe Flash Player and earlier versions for Windows, Macintosh, Linux, and Solaris operating systems. The flaw also affects the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh, and Unix.

"This vulnerability [CVE-2010-1297] could cause a crash and potentially allow an attacker to take control of the affected system," Adobe says. "There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player, Adobe Reader, and Acrobat."

Adobe has not patched the problem yet, and a schedule for the release of a fix has not been set.

In a blog, researchers at Symantec say that the attack involves Trojan.Pidief.J, which is a PDF file that drops a backdoor onto the compromised computer if an affected product is installed.

"Upon analysis of an attack, it is also observed that a malicious SWF file [detected as Trojan horse] is used in conjunction with an HTML file [detected as Downloader]to download another malware [detected as Backdoor.Trojan] from the Web," Symantec says.

Adobe says it will notify users as soon as a patch becomes available.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.