|
IT Developments
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Adobe 'zero-day' flaw is eight months old
- From: Brian Warkoczeski
- Date: Tue Jul 28 08:26:31 2009
Adobe 'zero-day' flaw is eight months old
By Ryan Naraine
July 24th, 2009
www.zdnet.com
The current zero-day attacks against Adobe Flash Player are not quite
zero-day after all. According to new information, Adobe’s security
response team knew about the vulnerability since December 31, 2008 (see
image below) but it was misdiagnosed as a “data loss corruption” issue.
When word of the attacks surfaced this week, Adobe quickly locked access
to the bug ticket with a note that it was “reclassified as a security bug.”
(Click image for full size. Credit @Shirkdog)
Once it got wind of the attacks, which exploit Flash Player within
rigged PDF documents, Adobe’s security response process kicked into
overdrive and the company released separate advisories to offer
temporary mitigation.
The company now plans to release patches on July 30th and 31st for
Windows, Mac and Linux users.
According to Sourcefire’s Lurene Grenier, there are at least two
separate vulnerabilities that are being exploited in the wild. Adobe’s
advisory only mentions “a critical vulnerability” so it’s not quite
clear if everything will be fixed next week.
In the meantime, be sure to follow Adobe’s advice and delete, rename, or
remove access to the authplay.dll file that ships with Adobe Reader and
Acrobat v9.x. This mitigates the current attack vectors.
Firefox users can simply disable the Flash Player plug-in until Adobe
releases its patches.
This misdiagnosis of a serious security vulnerability is an
embarrassment for Adobe, a company that has been struggling to clean up
its image with a major security-themed operations overhaul (podcast).
Also see:
http://blogs.zdnet.com/security/?p=3773
|
|
|
