Miles Associates LLC

Adobe has issued a security advisory about a “critical” vulnerability in its Flash Player and Adobe Reader and Acrobat products that it says could let attackers take control of people’s computers.

The company said late Friday that there had been reports of the hole actually being exploited and that an official patch was not yet available.

Affected software includes:

• Adobe Flash Player 10.0.45.2, 9.0.262, and earlier 10.0.x and 9.0.x versions for Windows, Macintosh, Linux, and Solaris
• Adobe Reader and Acrobat 9.3.2 and earlier 9.x versions for Windows, Macintosh, and Unix

via Adobe reports ‘critical’ flaw in Flash, Acrobat | Security – CNET News.

A new zero-day bug affecting Adobe Reader and Acrobat is being exploited in the wild. Though the vulnerability affects the products on Unix, Mac and Windows systems, the exploit observed in the wild is focused on Microsoft Windows for the moment.

Adobe is warning users about a critical vulnerability in versions of Adobe Reader and Acrobat that is being exploited in targeted attacks.

via eWeek.

Adobe Admits Users Are Vulnerable After Downloading Reader.  From CIO Magazine.

Adobe leaves vulnerable versions of Reader (For example version 9.1) for download on its web site, and the user can only update (to, say 9.1.2) by patching.  But the automatic patching mechanism, for many users, does not run at first execution and may not update Adobe Reader for days or weeks, leaving those users unknowingly vulnerable.  Meanwhile, “Hackers continue to hammer Reader. According to New York-based CA today, there are “a vast number of malicious PDF files in circulation on the Internet,” many of them pitching multiple exploits at Windows users”.

Adobe is reevaluating its practices for updating Reader.

May 15, 2009:

A new round of Web sites hijacks is attempting to install malicious, Google-focused software on unpatched PCs, …cementing the drive-by-download approach as a bad-guy tactic of choice.

The attack, dubbed “Gumblar” by ScanSafe, starts by hijacking legitimate sites and inserting attack code. The more than 1,500 hacked sites, including Tennis.com and Variety.com, don’t represent an especially huge number, but its growing rapidly. Since last week, the attack has grown by 80 percent, according to the company, and has spiked 188 percent since yesterday.

The attack code has largely gone after PDF and Flash flaws discovered in the last year … these particular assaults can be largely neutered by making sure you have the latest versions of the Adobe software.

… The PDF attack approach is more bad news for Adobe, whose programs have become a favorite target of late.

via Gumblar Hacked Sites Install Google-Targeting Malware.  (CIO Magazine)