Adobe Flash vulnerable to remote-execution exploit

Updated Already under the gun for a critical hole in its ubiquitous Acrobat Reader, Adobe's security team has pushed out a fix for another serious vulnerability, this one in the company's Flash animation software.

The remote code execution vulnerability has been confirmed in Flash for Windows and is believed to also affect versions that run on Linux and Apple's OS X, according to this advisory from VeriSign's iDefense Labs. Shortly after an earlier version of this article was published, Adobe released patch details here.

The exploit occurs as a result of the way Flash handles Shockwave files. By creating a particular object and then deleting it, attackers can gain arbitrary execution control over uninitialized memory locations where the invalid object resided, iDefense said. The technique involves the use of so-called heap molding and heap spraying, allowing memory contents to be overwritten with attack code.

"iDefense considers this vulnerability to be of HIGH severity due to the possibility of arbitrary code execution with minimal user interaction," Howard wrote in an email.

The vulnerability affects version 10.0.12.36 of Flash and all earlier versions, Adobe said.

The vulnerability is separate from a security bug in Adobe's Acrobat Reader program that is currently under attack. The company only notified users of the threat last week, after independent security researchers released their own advisory. According to IDG News, the attack has been in the wild for more than six weeks.

Adobe's security team didn't immediately answer an email requesting comment for this story. ®