Committed to PDF files sent by e-mail or malicious Web sites can exploit flaw in component of the Flash and Reader.
The American company software Adobe Systems Inc. acknowledged a critical vulnerability that affects Reader and Flash programs and could expose Internet users to attack. The company said on Wednesday (22/7), the United States, which will distribute the correction between days 30 and 31 July.
According to security experts, the problem was detected seven months ago. In a security advisory posted on its website , Adobe confirmed that there is a vulnerability in the critical current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows operating systems, Mac OS and Linux as well as the component 'authplay.dll' built-in Adobe Reader and Acrobat v9.x for Windows, Mac OS and Unix.
The component 'authplay.dll' has the function of interpreter between Flash content embedded in PDF file format, Adobe, and is present on any machine equipped with Reader and Acrobat software.
The company said it will fix all versions of Flash on June 30, as well as Reader and Acrobat until July 31.
Until a patch is released, Adobe says that users can delete or rename the component 'authplay.dll', or disable the rendering of Flash to avoid attacks by corrupted files in PDF. The company also recommended that users be cautious in access to suspicious sites.
The site's Emergency Response Center of the United States (US-CERT), part of the Department of National Security of the country, issued instructions to clear the affected component of Flash on Windows machines, Mac OS and Linux.
According to security companies, committed documents in PDF format have been exploited by attackers and targeted attacks using malicious sites.
"The PDF is only a vehicle for the attack," explained the development manager of security firm Symantec, Marc Rossi. "But you do not need Flash or Reader on your system," commented Rossi. He said it was possible to exploit the flaw through a Flash content posted on a website.
The number of flaws exploited in attacks is still low, according to Rossi. However, the expert indicates that the threat can grow using e-mails with corrupted files in PDF. "When the code accesses the system - especially on Windows machines - it connects to a site to download a file like a Trojan horse on the compromised system.
The chief researcher for security company Purewire, noted that the flaw in Flash was recorded in the database of bugs in Adobe's 31 December 2008, but the actual malicious code that has exploited the vulnerability was recently created on July 9.
