Adobe sounds alarm on Flash zero-day attacks

Hard on the heels of last week's Reader bug, reveals zero-day vulnerability in popular Flash

Less than a week after warning users that hackers were exploiting an unpatched bug in its Reader PDF viewer, Adobe said on Monday that Flash, its other prominent program, was also under fire.

The company said it would patch Flash in two weeks, and Reader in three weeks.

In a new security advisory on Monday, Adobe said that the current version of Flash contains a critical flaw already being used in the wild by criminals to attack Windows PCs. "This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system," the advisory read.

The warning credited Steven Adair of the Shadowserver Foundation for reporting the vulnerability. Representatives of Shadowserver did not immediately reply to questions late Monday.

All editions of Flash, including those for Windows, Mac, Linux , Solaris and Google 's Android mobile operating system, include the flaw.

An Adobe spokeswoman characterized the attacks as "limited" and "targeted," and aimed only at Windows users.

The same bug is also present in Adobe Reader and Acrobat, the company's free PDF viewer, and its commercial PDF creation tool. That's not unusual, because both Reader and Acrobat include code to run Flash content embedded in PDF documents, making a bug in Adobe's media player typically require a patch for the PDF programs.

Adobe said it has no reports of attacks exploiting the Flash bug in Reader or Acrobat.

Monday's warning was the second since Sept. 8, when Adobe issued an advisory about a different unpatched, or "zero-day," vulnerability in Reader and Acrobat. Experts have said hackers began exploiting the Reader-Acrobat bug about the beginning of the month.

Those attacks have been dubbed "David Leadbetter" after the golf swing coach whose name was included in the subject lines of e-mails that included rigged PDFs. They have been called "scary" and "clever" for the way they sidestep important Windows defenses.

Adobe said it would update Flash to fix that program's flaw in two weeks, sometime during the week of Sept. 27.

The two bugs in Reader and Acrobat -- the one disclosed last week and Monday's -- will be patched in the week of Oct. 4 with an emergency, or "out-of-band" security update.

Unlike Flash, Reader and Acrobat are supposed to receive updates on the second Tuesday of every third month. Adobe was to patch Reader and Acrobat on Oct. 12, but has ditched that in lieu of the rush update.

This will make two consecutive quarters that Adobe has had to abandon its usual patch schedule because of zero-day attacks. In late June the company released an emergency Reader update two weeks ahead of an already-slated July 13 update.

Reader's early October patch will also be its third rush fix in little more than three months.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityAdobe SystemsMalware and VulnerabilitiesCybercrime and HackingApp Security

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?