Adobe warns of zero-day bug in Illustrator

A serious, unpatched security flaw has surfaced in Adobe Illustrator, as the software maker prepares to release critical security fixes for next week
Written by Matthew Broersma, Contributor on

A potential zero-day security flaw has been found in Adobe's Illustrator software that could allow an attacker to execute malicious code on a user's system.

Adobe programme manager David Lenoe on Thursday acknowledged that the software maker is aware of the problem and is in the process of verifying the bug.

"We are currently investigating this issue and will have an update once we have more information," Lenoe wrote in a blog post. He noted that the bug appears to require a local user to open a malicious .eps file in Illustrator, which would limit its severity.

Adobe did not indicate when it might supply a fix for the flaw.

The security hole is particularly serious because a proof-of-concept exploit is already in circulation, having been posted on Thursday on the hacker website Altervista.

Secunia, an independent security company, has confirmed that the flaw affects Illustrator Creative Suite 3 (CS3) and CS4, and believes other versions may also be affected.

"The vulnerability is caused due to an error in the parsing of Encapsulated Postscript Files (.eps) and can be exploited to corrupt memory when a user opens a specially crafted .eps file," Secunia said in an advisory on Thursday. "Successful exploitation allows execution of arbitrary code."

Also on Thursday, Adobe announced that on Tuesday, it will release patches for critical security bugs in Flash Player and AIR. These security holes are unrelated to the Illustrator flaw.

Flaws in Adobe's software have been used in the past to spread malicious code. For instance, in October Adobe patched a hole in Acrobat Reader that had been exploited by maliciously crafted PDF files.

Editorial standards