July 27, 2009

Hackers exploit Adobe Flash, Reader flaw

Hackers exploiting a newfound flaw in Adobe Flash video player and Acrobat Reader can steal data and take money from bank accounts, online security experts say.

Adobe Systems Inc., the San Jose, Calif., maker of the video player and tool for opening PDF documents, is scrambling to develop an emergency patch by Friday, the company says.

Even if it solves the problem and sends out a security patch, the problem may persist because some users may defer installing the updates, Web and computer security experts fear.

As a result, we may see a broad-scale explosion of attacks, Purewire Inc. senior researcher Paul Royal tells USA Today.

The security firm says it already found a booby-trapped e-mail sent to a corporate executive.

Another security firm, Finjan Inc., says it found several dozen legitimate Web pages carrying poisoned Flash clips, USA Today says.

The security firms discovered the vulnerability early this month after cybercriminals began e-mailing PDF files with corrupted Flash video clips and hacking into Web sites to implant them, USA Today reports.

The clips, when activated, enable attackers to quickly install malicious programs on the user computers. The programs turn the computers into Internet bots, or Web robots, that steal data, siphon cash from financial accounts, spread spam and trigger promotions to sell fake antivirus programs, the newspaper says.

Some 43 percent of the 1,500 cyberattacks identified by security firm F-Secure PLC the first six months of this year were directed at Acrobat Reader, up from nearly 29 percent last year.

That puts Acrobat Reader ahead of Microsoft Word, targeted in 40 percent of this year's attacks, the Helsinki, Finland, company says.