Qualys Blog

www.qualys.com
wkandek

0-day for Adobe Reader 9.3.4 and Flash – Update 3

Update 3
Adobe has acknowledged a 0-day in their Flash player.
Both this 0-day and the Adobe Reader flaw have patches scheduled already:

VUPEN has declared that their exploit for the Adobe Reader vulnerability will be successful even with JavaScript disabled.

Update 2
Security Researchers are impressed by the creativity in the recent Adobe 0-day. VUPEN has a interesting blog post with an analysis on the DEP/ASLR bypass technique and @reversemode and @dinodaizovi agree.

Update
While the Adobe advisory does not contain any further details on the vulnerability and the exploit, it seems that turning off JavaScript in Adobe Reader prevents the known samples of the exploit from running.Turning off JavaScript also prevents the published Metasploit code from running successfully.

We recommend turning off JavaScript in Adobe reader and consider it a best practice for normal desktop usage.

Original
A new critical 0-day vulnerability has been discovered in the wild for the latest version of Adobe Reader 9.3.4. Adobe has published an advisory and notes that all Operating Systems are affected. They will be providing updates as more information becomes available.

Some of the exploit code is published and we expect an exploit to become available in the exploit toolkits.

We will keep you posted as we get more information.

References:

Leave a Reply