Update:
Adobe readies fixes for Flash as Illustrator exploit is made public.(IMG:Adobe)
Adobe has said that they are aware of the Buffer Overflow vulnerability in Illustrator CS3 and CS4 that could lead to arbitrary code execution. According to their latest security advisory they plan to patch it.
“Adobe plans to make available an update to Adobe Illustrator to resolve the issue by January 8, 2010. Adobe recommends customers avoid opening .eps files from unknown or untrusted sources in Illustrator until a patch is available.”
While positive, this confirms there is nothing for the patches due on Tuesday.
Original Article:
Adobe is getting ready to push the next round of security fixes, and at the same time, they will need to rush to fix a recently disclosed issue in Illustrator.
On Tuesday, Pyrokinesis released Proof-of-Concept code for use in Metasploit that, if exploited, will allow code execution.
Secunia, who first alerted the public to the existence of the vulnerability and resulting code after it was published, said that the vulnerability is caused due to an error in the parsing of Encapsulated Postscript Files (.eps) and can be exploited to corrupt memory when a user opens a specially crafted .eps file. Illustrator CS3 13.0.0 and CS4 14.0.0 are affected by the vulnerability.
However, the odds of the Illustrator issue being fixed in time for Adobe’s next round of updates on Tuesday are slim to none.
Adobe has issued an alert that on Tuesday they plan to fix issues in Adobe Flash Player 10.0.32, as well as fix issues in Adobe Air 1.5.2 18 and earlier versions in both programs.
The next Adobe patch after the one on Tuesday will come in January. Adobe has said that once they have all of the facts, they will issue an advisory on the Illustrator issue, but could not confirm that it could be used to install Malware.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story