A new zero day flaw in Windows XP and Server 2003 is being exploited in the wild to bypass the sandbox on unpatched versions of Adobe Reader, security firm FireEye has reported.
According to the firm’s analysis, the vulnerability allows for a standard user running XP SP3 to elevate privileges to admin level, allowing a targeted attack on users running Reader versions 9.5.4, 10.1.6, 11.0.02 and before using a malicious PDF.
Today Adobe issued updates for the Flash Player on Windows, Mac and Linux. Adobe AIR and the AIR SDK and Compiler are also being updated. At the same time the company issued a security hotfix for ColdFusion, their web application platform.
Adobe says that these updates are unrelated to the recent theft of ColdFusion source code.
In an update on the data breach disclosed earlier this month, Adobe has said that source code for Photoshop was stolen. Making matters worse, a file containing 150 million usernames and hashed passwords has appeared online, and the company says that 38 million accounts were directly impacted by the incident.
Adobe has worked with Apple to sandbox Flash Player under Safari in Mac OS X, restricting the ability of attackers to exploit any vulnerabilities they might find in the browser plug-in.
"With this week's release of Safari in OS X Mavericks, Flash Player will now be protected by an OS X App Sandbox," Peleus Uhley, platform security strategist at Adobe, said Wednesday in a blog post. A sandbox is a mechanism that enforces certain restrictions on how an application interacts with the underlying operating system.
Adobe said it suffered a sustained compromise of its corporate network, allowing hackers to illegally access source code for several of its widely used software applications as well as password data and other sensitive information belonging to almost three million customers.