Adobe Flash Player Bugs Feared to be on the Prowl

December 12, 2011, By Sanjeev Ramachandran

Two critical vulnerabilities in the latest version of Adobe’s Flash Player, which could allow remote attackers to execute arbitrary code with the use of a maliciously crafted SWF file, have been on the prowl.

After having snooped down by the US Computer Emergency Readiness Team (US-CERT) and the National Institute of Standards and Technology (NIST), an advisory has come about which states that Adobe Flash Player for Windows and Mac OS X are susceptible to such an attack.

A group of researchers from Intevydis also found the bugs with the aid of their VulnDisco Step Ahead, a piece of software designed to help companies discover security flaws in their systems.

Adobe’s position on the issue is not yet known, but the Intevydis CEO Eugene Legerov says the exploit bypasses DEP and ASLR and it works on browsers such as Firefox, Chrome and Internet Explorer.

Two years ago, Legerov had announced that his company will no longer notify vendors about the vulnerabilities it discovers. Intevydis is not the only security company that adopted the “no more free bugs” approach.

French vulnerability research firm Vupen  also believes in this philosophy and only shares information about the security issues it discovers with its paying customers.

Flash Player vulnerabilities can be exploited by embedding maliciously-crafted Flash content into websites or PDF documents. Adobe Reader and Acrobat are generally affected by Flash Player flaws because they incorporate a Flash playback component.

Adobe hasn’t issued an advisory for these two vulnerabilities yet. The company is already working on a patch for different zero-day vulnerability in Adobe Reader which is scheduled for next week.

As of now, no attack exploiting these Flash Player vulnerabilities has been detected in the wild, but security-conscious users might want to use Flash blocking technologies in their browsers and disable Flash support in Adobe Reader until a patch becomes available.

Are you one among them?

© 2008-2012 - All rights reserved | Privacy Policy