Adobe Systems is investigating reports of a new vulnerability affecting its Illustrator software. News of the zero-day came as Adobe prepared to release updates for Adobe Flash Player and Adobe AIR to address a critical security issue.
Adobe Systems is investigating reports of a new security vulnerability affecting its Illustrator software.Proof-of-concept code for an attack was publicized this week and is circulating the Web. According to Adobe, the vulnerability can be exploited via a malicious Encapsulated PostScript (.eps) file in Illustrator.
"Adobe is aware of a report of a potential vulnerability in Adobe
Illustrator CS4 (CVE-2009-4195)," the company wrote in an advisory. "We
are currently investigating this issue and will have an update once we
have more information."
Vupen Security stated in an advisory that
the issue is caused by a memory corruption error when processing .eps
files containing overly long data, which could allow attackers to crash
an affected application or execute arbitrary code by tricking a user
into opening a specially crafted file.The
vulnerability is known to affect Illustrator Creative Suite versions 13
and 14. Adobe's next round of security updates is slated to come Dec.
8, though the company did not say whether a fix for the issue
would be ready then. The company is, however, planning to update Adobe AIR and Adobe Flash Player to address "critical" security issues.Earlier this year,
Adobe changed its development and patching process to improve security.
Part of those changes involved instituting a regular schedule for
security releases, which now come the same day as Microsoft's Patch Tuesday.
"The reason why Adobe's products...have captured the attention
of cyber-criminals is that they are so ubiquitous," blogged Graham
Cluley, senior technology consultant at Sophos. "It's not an
outrageous (gamble) for hackers to assume that you have some Adobe
software on your computer, making it a potential avenue for