Feeds

Zero-day Adobe bug overshadows impending Flash fix

Illustrator illin'

Choosing a cloud hosting partner with confidence

Fears over a reportedly unpatched flaw in Adobe Illustrator have been heightened by the release of exploit code.

A zero-day flaw in the vector graphics editor means that users tricked into opening maliciously manipulated Encapsulated Postscript Files (.eps) files are liable to find themselves hacked. Successful exploitation of the unpatched flaw triggers a memory corruption bug that clears the path towards the execution of malware on vulnerable systems.

Security notification firm Secunia reports that both Illustrator CS3 13.0.0 and CS4 14.0.0 are affected, adding that a published exploit works on fully patched Windows XP machines. Other versions of Illustrator may also be vulnerable.

Adobe acknowledged a potential problem in at least Illustrator CS4, which it said it was investigating.

Adobe is aware of a report of a potential vulnerability in Adobe Illustrator CS4 (CVE-2009-4195). We are currently investigating this issue and will have an update once we have more information. It appears that this issue would require a local user to take the action of opening a malicious .eps file in Illustrator.

The software firm's delayed quarterly patch update is due next Tuesday, a date that coincides with Microsoft's Patch Tuesday release. Adobe's security response team will have their work cut out to develop and test a patch in time.

Tuesday's releases from Adobe are due to include an update addressing a critical flaw in its Flash player software. The critical update for Adobe Flash Player 10.0.32.18 and earlier versions is due to be accompanied by a security fix for Adobe AIR 1.5.2, also addressing a critical vulnerability.

The ubiquity of Adobe software has made it a favourite target for hacking attacks over the last year or so. Booby-trapped PDF exploits have become a particular favourite in targeted attacks.

Flash exploits have also become a weapon of choice as miscreants have extended their sights beyond attacks against Internet Explorer and booby-trapped Microsoft Office document files. In response, Adobe has adopted a regular patch schedule. ®

Beginner's guide to SSL certificates

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.