Since early July, troublemakers have been e-mailing PDF files with corrupted Flash video clips and hacking into websites to implant them. These clips, when activated, enable attackers to quickly install malicious programs on the user's computer.

Criminals typically take control of PCs, turning them into obedient "bots." They can use bot networks to steal data, siphon cash from online financial accounts, spread spam and trigger promotions to sell fake anti-virus programs.

The number of attacks could soar this week as Adobe scrambles to develop an emergency patch by Friday. The company recently began issuing security patches once a quarter, with the next update scheduled on Sept. 8.

"The volume of cybercrime has been increasing, so we've stepped up our efforts to supply best-in-class security," says Rob Tarkoff, Adobe's senior vice president and general manager of business productivity.

But even that might not solve the problem. Adobe alerts computer users every seven days about software updates that can include security patches, but users often defer installing such updates.

As a result, "We may see a broad-scale explosion of attacks," says Paul Royal, a senior researcher at Purewire.

The security firm has already found a booby-trapped e-mail sent to a corporate executive.

Last week, another security firm, Finjan Software, found several dozen legitimate Web pages carrying poisoned Flash clips.

Tarkoff says Adobe is doing all it can.

"Every software product is a target," he says. The challenge is to find a way to keep offering new features without creating new security problems. "That's (the balance that) we're focused on striking."

That balancing act may grow more difficult as cybercriminals probe for more weaknesses in Adobe programs.

Some 43% of the 1,500 cyberattacks identified by security firm F-Secure in the first six months of 2009 were directed at Acrobat Reader, up from nearly 29% last year.

That puts Acrobat Reader ahead of Microsoft Word, targeted in 40% of this year's attacks.

"Adobe has become the victim of its own success," says Don Leatham, director of solutions and strategy at security firm Lumension.

"They've become a very juicy target, and they need to significantly increase their efforts to secure and stabilize their code."

http://www.usatoday.com/tech/news/compu ... kers_N.htm

Doing so might cause a crash when a user tries to launch a PDF document with an embedded video, though Adobe is indicating that this particular crash may not be an exploitable one.

The nature of Adobe's recommended workaround tells you almost everything you need to know about the exploit: It's another case where a maliciously crafted handoff between two interpreters triggers a crash in the one that's supposed to receive the proverbial baton. That crash leaves behind a situation where leftover code in the handoff can be executed without privilege.

It's a problem which may have existed for several days, though Adobe's security blog indicates the company had just gotten wind of the problem on Tuesday. What might have been holding the team up is another security problem, which Adobe currently rates as "moderate:" an active exploit of the Adobe Reader installer, where certain installation files may be replaced with malicious code. While the security team is already working on a fix for that problem, a fix for this newer "critical" issue may only be available by this time next Thursday.

Note that this vulnerability is exclusive to Internet Explorer on Windows.

Installations of Flash Player for Firefox or other web browsers on Windows are not vulnerable.

Hey, looks like Shera's post design!

Btw, where's the Feathered One? Vacation? Tree-climbing in his kilt and got hung up on some tree limbs and can't get back down?

FF sometimes disappears for a couple days ~ sound to you like anyone else we all know??? ~

Sooz

BTW, thanks for the info Jab ~ with all of the serious problems, how in the world did Windows and IE ever get to be the industry leader? ~ or maybe being the industry leader also set each up as a juicy target ~

Sooz