Adobe Systems is warning users about a new vulnerability being exploited in the wild. Anti-malware researchers at McAfee have confirmed that they found evidence of at least one exploit.
According to Adobe, the vulnerability can be used to “cause a crash and potentially allow an attacker to take control of the affected system.” The bug exists in Adobe Reader 9.3.4, and earlier, for Windows, Macintosh and Unix systems. It also exists in Adobe Acrobat up to version 9.3.4 for Mac and Windows.
Adobe did not provide technical details of the vulnerability but it is thought to be the way the applications handle TrueType fonts. An advisory by security specialist Secunia advised users not to open untrusted files. It said that the issue is caused by “a boundary error within the font parsing in CoolType.dll and can be exploited to cause a stack-based buffer overflow by … tricking a user into opening a specially crafted PDF file.”
The latest version of Adobe Reader has been compiled with stack protection guarding the pointers to code to be executed. The new exploit uses a return oriented programming (ROP) exploit to bypass this protection, as well as data execution prevention (DEP), and inject malicious code into the execution process.
“Unfortunately, there are no mitigations we can offer,” a spokesperson told eWEEK in an email. “However, Adobe is actively sharing information about this vulnerability (and vulnerabilities in general) with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up-to-date.”
Adobe officials were unable to say when a patch would be available but confirmed that the company would continue to provide users with updated information. They also thanked Mila Parkour of Contagiodump [Ewww, is that a real name?- Editor] for reporting the flaw and working on this issue with them.
Adobe, like other software vendors has had to issue patches on a regular basis.
Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…
Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…
Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…
Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…
Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…
Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…