Adobe says it is fixing a flaw exploited by a recent zero-day attack, but that the fix won't be published this year.
Nearly a week after an unidentified hacker posted attack code that exploits a flaw in Adobe's Illustrator software, the company says it will fix the issue by January 8. (See: Hacker hits Adobe Illustrator with new attack.)
In a security advisory released yesterday, Adobe confirmed that the attack affects versions 3 and 4 of its Illustrator Creative Suite software and said the flaw could give hackers a way to run unauthorised software on a victim's computer.
See also: PC security advice
The attack code, posted last Tuesday, works when a victim opens a specially crafted Encapsulated PostScript (.eps) file in Illustrator. "Adobe categorizes this as a critical issue and recommends that users avoid opening .eps files from unknown or untrusted sources in Illustrator until a patch is available," the company said.
"Adobe plans to make available an update to Adobe Illustrator to resolve the issue by January 8, 2010," the company added in a note on its website.
See also: Adobe Illustrator CS4 review
Meanwhile, both Adobe and Microsoft are scheduled to issue critical security patches on Tuesday. Adobe will fix critical flaws in Flash Player. Microsoft is set to fix 12 bugs in a variety of its products, including a critical flaw in Internet Explorer that was publicly disclosed a few weeks ago.