Network Security, Patch/Configuration Management, Vulnerability Management

Adobe’s latest zero-day being exploited in the wild

A new critical zero-day vulnerability in Adobe Reader is being exploited in the wild, the company confirmed on Wednesday.

The current versions of Flash Player 9 and 10 and Adobe Reader and Acrobat 9 are affected by the vulnerability on Windows, Macintosh and Linux operating systems, Adobe said in an advisory Wednesday. The bug could cause a computer to crash or enable an attacker to take control of an affected system.

Acrobat, Reader and Flash are all impacted because the Flash interpreter, or the component that plays Flash objects embedded in PDFs, is vulnerable, Paul Royal, principal researcher at web security vendor Purewire, told Thursday.

“Reader and Acrobat come with modules that allow Flash to be decoded and rendered,” Marc Fossi, manager of development at Symantec told on Thursday. “Basically, the Flash module that comes with Reader and Acrobat also contains the vulnerable code, that's why they are all affected by it.”

Two types of attacks are occurring in the wild, Royal said. Targeted organizations are being emailed a PDF file with a malicious Flash file embedded inside, and more widespread exploitation is occurring on the web, where compromised legitimate websites are serving malicious Flash files to users. 

Royal said that so far, there are a “handful” of small websites that have been compromised and are hosting the malicious content. Currently, there is no publicly available proof-of-concept (POC) code for the exploit.

“Once a public POC is published, we will see an increase in the number of websites using this vulnerability that will try and place malicious software on the systems of users,” Royal said.

This vulnerability stems from a bug that was discovered last December but was only recently turned into an exploit, Royal said.

“At the time, people weren't envisioning it as a way to execute arbitrary code,” Royal said.

The flaw was submitted by a user and published on Adobe's public bug database in 2008. with a POC showing how it would cause a browser to crash. All the technical details in that entry have since been removed, Royal said. Based on an analysis of one malicious PDF sample, the bug was turned into an exploit on or around July 9.

A fix for all affected products is expected to arrive at the end of the month, Adobe said. A patch for Flash Player versions 9 and 10 on Windows, Macintosh and UNIX can be expected on July 30, while an update for Adobe Reader and Acrobat on Windows, Macintosh and UNIX is expected on July 31.

Adobe said that users can mitigate the threat for Adobe Reader and Acrobat 9 by deleting, renaming, or removing access to the authplay.dll file, which can be found under program files for Adobe Acrobat. Vista users can help mitigate the impact of exploitation by turning on User Access Control (UAC). There is no temporary fix for Flash Player however, and Adobe recommended being cautious when visiting untrusted websites.

Turning off JavaScript will not help prevent against the attack in Reader, according to a SANS Internet Storm Center post.

Adobe is working with anti-virus vendors on the threat and is recommending that users keep their anti-virus software up to date.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.