Adobe Flash Vulnerability Allows Attack via Malicious PDF File
Symantec Wednesday said it has identified a PDF file that exploits a previously unknown vulnerability in an Adobe Flash multi-media component.
Marc Fossi, manager of development at Symantec, said the company has shared information about the malicious PDF file with Adobe and "Adobe is working on a fix."
Adobe says on its blog that it is "investigating this potential issue" and will provide an update as it gets more information.
The Flash vulnerability, believed to be in Adobe Reader 9.0, 9.1. and 9.1.2 and perhaps other Adobe Flash products, allows the attack via the malicious PDF to execute malicious code on the victim's machine. "It allows remote access," said Fossi. "And it's connecting back to a few sites."
Fossi said the malicious PDF, which was submitted to Symantec, is not known to be widespread but it's clearly designed for attack purposes. The malicious PDF allows for "a heap vulnerability, and code execution."
Symantec's anti-virus software would protect against the exploit of the Flash vulnerability and in addition, for those not using Symantec products, if the user-access control in Windows Vista is open, this will also prevent the exploit from executing, Fossi said.
More info on Symantec's blog.
Earlier this week Adobe responded to claims by security vendor Secunia that Reader contains bugs and that Adobe's update process is being re-evaluated.