Adobe is in the news again, with all new ways for hackers to take over your desktop via their products. Just a few days ago security researchers discovered serious security vulnerabilities in some Adobe programs. The latest victim of attacks appears to be the Adobe Flash animation software. iDefense Labs discovered that exploitation of the flaw in the Flash player could enable hackers to gain full privileges on a user’s desktop.
The method used to “infect”a user’s PC is a malicious Shockwave Flash file created by the attacker. The Shockwave file socially engineers the file and then injects the content into a site that is trusted to complete the attack. Acrobat reader has already come under criticism after nCircle, another network security firm, found vulnerabilities in the venerated application.
Acrobatic Threats
Reading these stories about such widely used applications, it is a little bit shocking to note how little Adobe appears to be doing about it. Adobe has been fairly silent about the threats, while Symantec and nCircle warn of real and ongoing cases in Asia. According to Andrew Storms, director of security operations for nCircle:
If the history of Adobe Reader vulnerabilities shows us anything, it’s probably just a number of days before this takes off.
The Adobe Flash threat announced today, was acknowledged by the company as being a “critical” one for Adobe Flash Player 10.0.12.36 and earlier versions. They recommended that users update to the most current versions. For users who cannot update to version 10, the company has also created a patch for download. We suggest everyone who might be affected read Adobe’s security bulletin issued about the threat, and for the latest fixes.
Relative Insecurity
There is still no word of an update or fix for the earlier Acrobat Reader issues. Adobe has said they will have updates for Adobe Reader 9 and Acrobat 9 by March 11, but given these issues were announced before the Flash advisory, one has to wonder what they are waiting for. Adobe’s advice to users was simply to Disable JavaScript for what appears to be a “degree” of protection.
Meanwhile, any hacker who can “socialize” their script and get it into a trusted conduit, can effectively control your PC. Sourcefire, another security vendor, says they have already traced attacks going back to January 9, so it looks like a time for everyone to cover their own … until Adobe gets off of theirs. We hope this information helps.