Adobe Investigates Security Vulnerability as Attack Code Surfaces

Adobe Systems is investigating reports of a new security vulnerability affecting its Illustrator software.

Proof-of-concept code for an attack was publicized this week and is circulating the Web. According to Adobe, the vulnerability can be exploited via a malicious Encapsulated PostScript (.eps) file in Illustrator.

“Adobe is aware of a report of a potential vulnerability in Adobe Illustrator CS4 (CVE-2009-4195),” the company wrote in an advisory. “We are currently investigating this issue and will have an update once we have more information.”

Vupen Security stated in an advisory that the issue is caused by a memory corruption error when processing .eps files containing overly long data, which could allow attackers to crash an affected application or execute arbitrary code by tricking a user into opening a specially crafted file.

The vulnerability is known to affect Illustrator Creative Suite versions 13 and 14. Adobe’s next round of security updates is slated to come Dec. 8, though the company did not say whether a fix for the issue would be ready then. The company is, however, planning to update Adobe AIR and Adobe Flash Player to address "critical" security issues.

Earlier this year, Adobe changed its development and patching process to improve security. Part of those changes involved instituting a regular schedule for security releases, which now come the same day as Microsoft’s Patch Tuesday.

"The reason why Adobe's products...have captured the attention of cyber-criminals is that they are so ubiquitous," blogged Graham Cluley, senior technology consultant at Sophos. "It's not an outrageous (gamble) for hackers to assume that you have some Adobe software on your computer, making it a potential avenue for attack."