For at least the next week users of Adobe's Acrobat Reader and Flash Player will be vulnerable to a zero-day exploit now rated as ‘highly critical', security companies are warning.
Adobe owned up last week to the issue, which affects all platforms running Flash Player v18.104.22.168 and v10.0.22.87, and Reader and Acrobat 9.x, describing known exploits as 'targeted attacks' on the Reader app.
"We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009 (the date for Flash Player v9 and v10 for Solaris is still pending). We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX by July 31, 2009," says an advisory on the Adobe website.
Security companies have been unimpressed at the prospect of a potentially serious exploit that gives the cautious user little option but to uninstall the Adobe programs until a patch is posted.
According to Finjan, running the exploit code through the independent VirusTotal tester turned up a stark result - none of the 40 common anti-virus programs detected it as suspicious.
"Real-time code analysis technologies are the preferred solution to block such 0-day attacks," said a company release, which also noted that its commercial gateway system did stop the exploit by using such a technique.
Independent security analyst Secunia, meanwhile, has come up with statistics that give scale to the number of users affected by the issue. Using numbers culled from over 900,000 users of its free Personal Software Inspector software (PSI), 92 percent turned out to have Adobe Flash Player 10 on their machines, with 31 percent having version 9. Forty-seven percent had the Acrobat Reader installed, with 1.7 percent using Acrobat creation software.
"A PC user with vulnerabilities in his installed software is like a house owner with open or unlocked doors. Everybody locks their house when they leave, but still we see that many PC users doesn't take care of the vulnerable software on the PC," Secunia's PSI partner manager, Mikkel Løcke Winther told Techworld.
Or, to put it more bluntly, even when Adobe makes a patch available, many ordinary users will take weeks or even months to install it, which increases the potential number of victims.
In Løcke Winther's view, the fact that exploits were being written for Adobe programs reflected the simple calculation of the criminal mind. "They have identified Adobe as a company that is vulnerable," he said.
It's been a troubling week for Adobe, which has had to own up to a less than logical patching regime for its Acrobat Reader which could leave users vulnerable to exploits by failing to update the program quickly enough.