> Yes, systems without Acrobat are also at risk if the Flash plugin are enabled
> in the web browser
In that case, is the exploit file a .swf flash file, or a .pdf acrobat file? Can the flash player handle .pdf files by itself?
> B) Systems with older version of Acrobat are definitely at risk.
I have run proof-of-concept exampled of many of the .PDF exploits that have been discovered during the past year on systems win Acrobat reader 6.02 (running windows 98) and they do not seem to function properly given that combination. Also, Adobe has never stated (as far as I can tell) that Acrobat 6 is or was vulnerable to any of the .pdf exploits that have been discovered during the past, oh, 2 years.
Please explain (or please indicate an appropriate URL) that specifically mentions the vulnerability status of Acrobat 6.x in terms of the .pdf exploits discovered in 2007, 2008 and 2009.
> Two ways to exploit : The user can be lured into visiting a website leading to
> execution of swf file or executing a malicious pdf file.
Can the flash player be tricked into executing a .pdf file? Even if the file name ends in .swf ?
> It does not only depend on flash.
That's where I'm confused. If it doesn't depend on flash, then why is it being referred to specifically as a flash vulnerability?
Are these two SEPARATE vulnerabilities?
Or are they the SAME root vulnerability that can be exploited from two different directions (a malicious pdf file and a malicious .swf file) ???