McAfee said it has found a vulnerability in Adobe Systems' Reader program that reveals when and where a PDF document is opened.
The issue is not a serious problem and does not allow for remote code execution, wrote McAfee's Haifei Li in a blog post. But McAfee does consider it a security problem and has notified Adobe. It affects every version of Adobe Reader, including the latest version, 11.0.2, Li wrote.
When we look at the exploits that Adobe patched from February and March of this year, it is clear that today’s zero-day exploits are increasingly more sophisticated. This increase in sophistication is not limited to the skills needed to find and exploit the vulnerability. The code used to exploit the environment is also more robust in terms of code quality and testing. In short, exploit creation today requires the same level of rigor as professional software engineering projects.
Just hours after word leaked that Apple had poached Adobe's chief technology officer, the Internet is ablaze with the question of what, exactly, the iPhone maker plans to do with Kevin Lynch.
Lynch is particularly interesting as an executive choice for Apple because of his close association with Adobe Flash, a product he infamously clashed with Apple over, beginning in 2010.
Adobe today patched Flash Player, the fifth time this year it's updated the vulnerability-plagued software.
Unlike two of the three updates last month, however, today's was part of Adobe's regularly-scheduled patch cadence.
This is getting out of hand. For the second time this month, Adobe has issued an urgent warning telling users of its Flash plug-in to download a patch as soon as possible to avoid dangerous attacks by hackers.
Tuesday’s surprise update patches holes "that could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in a security bulletin. Although anyone who runs flash on a PC or Mac should install the patch as soon as possible, it’s even more urgent to do so if you’re using Mozilla’s Firefox browser, Adobe said.
Adobe has released the emergency update for Reader and Acrobat that it promised late last week.
The company decided to get a move on to deal with a newly-reported vulnerability that was actively being exploited, at least on Windows and the Mac.
The timeline has been pretty swift:
2012-02-12: Bug reported in a blog post by FireEye. Details scant.
2013-02-13: Adobe publishes a security bulletin, including a workaround for Windows users.
2013-02-17: (Weekend) Adobe announces patch "next week."
2013-02-20: Patch is released.
Adobe on Saturday said it would release an emergency patch for two Reader zero-day vulnerabilities this week.
Hackers have already been exploiting the bugs using rigged PDF documents sent as email attachments. "Adobe plans to make available updates for Adobe Reader and Acrobat ... during the week of February 18, 2013," the company said in its security incident response team's blog Saturday.
The recently discovered zero-day attacks targeting critical vulnerabilities in Adobe's ubiquitous Reader application are able to bypass recently added security defenses unless end users manually make changes to default settings, company officials said.
Adobe is investigating a report by a cyber security firm that hackers exploited previously unknown bugs in its Reader and Acrobat software to launch sophisticated attacks on PCs.
FireEye, a Silicon Valley company that helps businesses fight cyber attacks, said it obtained PDF files tainted with malicious software, which can take advantage of the newly discovered bugs. It declined to identify any victims of the attacks.
Adobe released security updates for Flash Player and Shockwave Player on Tuesday in order to address a total of 19 vulnerabilities affecting the two products.
New stand-alone versions of Flash Player 11 were released for Windows, Mac, Linux and Android. The Flash Player plug-ins bundled with Google Chrome and Internet Explorer 10 will be automatically updated through the update mechanisms of the two browsers.
