Adobe warns of zero day vulnerability in Flash and Reader
Adobe has reported that an unpatched vulnerability in its Adobe Flash Player can be exploited to inject and execute malicious code. The vulnerability has reportedly been used for targeted attacks in which victims, rather than being lured to a crafted webpage, were sent infected Excel files via email. These contained a crafted SWF file which ran in Flash Player when the Excel file was opened.
Version 10.x for Windows, Mac OS X, Linux and Android, and the embedded Flash plug-in for Chrome, are all reportedly affected. Versions 10.x and 9.x of Adobe Reader and Acrobat for Windows and Mac are also vulnerable, as they contain the same bug in their integrated authplay.dll Flash engine. In at least the Windows edition of Adobe Reader version 10 (aka X) the bug cannot be exploited to compromise a system. The sandbox function prevents malicious code from accessing the operating system, blocking attackers from installing malware. Indeed no attacks on Adobe Reader have been observed.
According to Kaspersky, the exploit used for the current attacks will run in Windows XP, but not in Windows 7, due to its additional security features (DEP, ASLR). Adobe is working on a patch and plans to release updates for Flash Player, Reader and Acrobat in the week commencing 21 March. The Windows version of Reader X is not due until mid-June, as the sandbox is, in Adobe's view, sufficient to prevent the worst for now.
- Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat, security advisory from Adobe.