Adobe Patches Flash Zero-Day
Adobe patched zero-day vulnerability in Flash Player. The flaw was being exploited in the wild in targeted attacks using a malicious Web page or Flash (SWF) file embedded within a Microsoft Word (DOC) or Excel (XLS) file attachment.
Adobe recommends users of Adobe Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier versions for Chrome users) for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.2.159.1 (Adobe Flash Player 10.2.154.27 for Chrome users). Adobe recommends users of Adobe AIR 2.6.19120 and earlier versions for Windows, Macintosh and Linux update to Adobe AIR 2.6.19140. Adobe expects to make available an update for Adobe Flash Player 10.2.156.12 and earlier versions for Android no later than the week of April 25, 2011.
Adobe Zero-day PDF Exploit Dangerous
The latest threat from Adobe is the zero-day PDF exploit, which comes disguised as a golf lesson, can do pretty much anything. It can download malicious bots; it can load keystroke-tracking software, and more. The exploit bypasses two important defenses that Microsoft erected to protect Windows, ASLR (address space layout randomization) and DEP (date execution prevention).
From Adobe:
A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.
