Thursday, Oct 28, 2010

Adobe Flash Player & Adobe Reader and Acrobat 0-day (CVE-2010-3654)

Share

Elad Sharf Security Researcher

Websense® Security Labs™ has received reports of a new zero-day exploit that targets the Adobe Flash Player. Our customers are protected from this latest vulnerability by ACE, our Advanced Classification Engine. 

The vulnerability can be delivered directly via a SWF file (Flash) or via a PDF file with an embedded Flash file object. An attack using the vulnerability with a PDF file has been spotted in the wild by Contiago Malware Dump (blog).

Today Adobe issued a security advisory confirming the flaw and rating the vulnerability critical:

 

It has been a very busy past few months with respect to vulnerabilities in Adobe products. The upcoming Adobe Acrobat Reader version, dubbed Adobe Acrobat X, promises tightened security features, so hopefully the exploitation through Adobe's Reader will diminish. 

Adobe announced that they will release a patched version of Flash on November 9 and a fixed version of Adobe Reader the week of November 15. 

We are keeping an eye on developments and will update further as events unfold.

About the Author

ES

Elad Sharf

Security Researcher