Adobe warns of Flash and Air flaws

Adobe hopes to publish Flash and Air updates next week

Adobe has issued a security alert concerning vulnerabilities in its Flash and Air products, which the firm has rated as 'critical'.

Adobe said that it expects to have fixes available for the issues by 8 December, and advised concerned users to exercise caution until the fixes are released.

"Adobe is planning to release an update for Adobe Flash Player 10.0.32.18 and earlier versions, and an update to Adobe AIR 1.5.2 and earlier versions, to resolve critical security issues. Users may monitor the latest information on the Adobe Product Security Incident Response Team blog," said Wendy Poland, security response programme manager at Adobe.

The firm has also acknowledged a problem with its Illustrator package, which it has promised to fix once it has finished its analysis. A hacker has already posted a proof of concept of the attack.

"Adobe is aware of a report of a potential vulnerability in Adobe Illustrator CS4 (CVE-2009-4195). We are currently investigating this issue. It appears that this issue would require a local user to take the action of opening a malicious .eps file in Illustrator," the firm said.

Over at the security blog Secunia, where the issue was uncovered, there are some more details. "Pyrokinesis has discovered a vulnerability in Adobe Illustrator, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error in the parsing of Encapsulated Postscript Files (.eps) and can be exploited to corrupt memory when a user opens a specially crafted .eps file. Successful exploitation allows execution of arbitrary code," the group explains.

The flaw is said to offer a zero day vulnerability, and will give hackers external control over the users system. Adobe Illustrator CS3 (13.0.0) and CS4 (14.0.0) are both affected.

Updates are promised on all the issues on the Adobe security blog, but none have been posted so far.