Flash Zero Day Times Two

Tuesday, December 13, 2011 @ 02:12 PM gHale

An attacker can exploit two newly discovered zero day vulnerabilities in Adobe’s Flash Player to execute arbitrary code remotely, according to advisories from the U.S. Computer Emergency Readiness Team (US-CERT) and various security research companies.

Russian vulnerability research firm Intevydis discovered the flaws. They integrated exploits in its Vulndisco module for Immunity Canvas, a popular penetration-testing application.

Adobe Woes Bring Malware Offerings
Adobe Hit with Zero Day
Attackers Clean Out Duqu Servers
Attackers Hijack MIT Server

Intevydis has no plans to notify Adobe about these vulnerabilities, company founder and Chief Executive Evgeny Legerov said. Two years ago, Legerov said his company will no longer notify vendors about the vulnerabilities it discovers.

The exploits developed by Intevydis for the two zero-day Flash Player vulnerabilities can bypass Windows anti-exploitation features including DEP and ASLR, and can escape the Internet Explorer sandbox, Legerov said.

The company also published a video showing the exploits in action on Windows and promised to release Mac OS X implementations as well.

To exploit the Flash Player vulnerabilities an attacker can embed maliciously-crafted Flash content into websites or PDF documents. Adobe Reader and Acrobat generally suffer from Flash Player flaws because they incorporate a Flash playback component.

Adobe hasn’t issued an advisory for these two vulnerabilities yet and it didn’t immediately return a request for comment. The company is already working on a patch for a different zero-day vulnerability in Adobe Reader.

Leave a Reply

You must be logged in to post a comment.