Adobe plug-in flaws open Windows to attack
A highly critical security flaw has been discovered in Adobe’s SVG Viewer Web browser plugin for Windows. The flaws affect versions prior to 3.0.3 and users should upgrade immediately.
An error in the ActiveX control (NPSVG3.dll) makes it possible for malicious Web pages to determine whether or not a particular file exists on a user’s system by specifying the particular file in the ‘src’ property. A separate error in libpng can potentially be exploited to execute arbitrary code on a user’s system via a specially crafted PNG image.
Both could provide system access and the exposure of sensitive information.
Scalable Vector Graphics (SVG) is a graphics file format and Web development language based on XML. It enables Web developers and designers to create dynamically generated, high-quality graphics from real-time data with precise structural and visual control. Version 3.0.3 can be downloaded from www.adobe.com/svg/viewer/install.