New zero-day vulnerabilities found in Adobe Flash Player
Something similar to the zero-day exploit recently discovered in Adobe's Reader and Acrobat tools has been found for its Flash Player as well.
When it comes to malware exploits, Adobe's Flash and PDF software can't seem to catch a break recently.
Recently a vulnerability was found in both Mac and Windows versions of Adobe's Acrobat and Reader products that could allow an attacker to crash the programs and gain control of the system. So far only have been found, but as well.
Now two similar vulnerabilities have been found in Adobe's Flash Player, which likewise could result in arbitrary code being executed on the system.
Computerworld is reporting that the flaws, for which advisories have been issued by US-CERT, were discovered by Intevydis, a Russian vulnerability research company. Apparently the vulnerability bypasses antiexploitation features in Windows such as DEP and ASLR, and can get around the Internet Explorer sandbox (there is no information on how other browsers handle the issue).
While Intevydis has so far shown the exploit on Windows machines, apparently it works in OS X as well.
So far Adobe has only addressed these exploits for version 9.x of its Reader and Acrobat products for Windows; fixes for the other versions are due in about a month's time. Adobe has not yet issued a response to the current findings regarding Flash Player.
Unlike malware that is directly downloaded to a system and scanned, these malware attempts run through the Flash Player or Adobe Reader programs themselves, making it harder for malware scanners to detect them.
The exploits should be addressed by Adobe sooner or later, but until then you might consider a tool like Click2Flash, NoScript, or Click2Plugin for blocking unwanted Flash content from running on your system.