/>
X

Critical zero-day flaw found in Adobe Illustrator

Adobe's security response team is scrambling to deal with the release of exploit code for what appears to be a critical zero-day flaw in the Adobe Illustrator CS4 software product.
ryan-naraine.jpg
Written by Ryan Naraine, Contributor on

Adobe's security response team is scrambling to deal with the release of exploit code for what appears to be a critical zero-day flaw in the Adobe Illustrator CS4 software product.

The vulnerability is caused due to an error in the parsing of Encapsulated Postscript Files (.eps) and can be exploited to corrupt memory when a user opens a specially crafted .eps file. Successful exploitation allows execution of arbitrary code, according to Secunia. The flaw is confirmed in version CS3 13.0.0 and CS4 14.0.0. Other versions may also be affected.

Here is a link to exploit code that works against Windows XP Service Pack 3.

An overlong string as DSC comment (more than 42000 bytes) results in a direct EIP overwrite. Exception is first-chance so the program will never crash. At the moment of the redirection EAX and ESI are user-controlled.

Adobe director of product security Brad Arkin says the company is investigating the public report.  Mitigation guidance is expected soon on the company's PSIRT blog.

In the interim, Secunia recommends that Illustrator users avoid opening files from untrusted sources.

UPDATE: Here is Adobe's official confirmation.

Related

Why you need an Android smartphone with a thermal and IR camera
img-6767

Why you need an Android smartphone with a thermal and IR camera

Android
Dell and Intel just had a big success. It may break your heart
screen-shot-2022-06-23-at-9-16-05-am.png

Dell and Intel just had a big success. It may break your heart

Innovation
Tech jobs: These are the 10 most in-demand developer, cybersecurity and cloud roles
two male and one female colleagues stood over a desk looking at a computer screen and discussing a project cheerfully

Tech jobs: These are the 10 most in-demand developer, cybersecurity and cloud roles

Developer