New zero-day for Flash Player

An Adobe security advisory warns of a new critical vulnerability in Flash Player 10.2.153.1 for Windows, Macintosh, Linux and Solaris, Flash Player 10.2.156.12 for Android and the Authplay.dll component in Adobe Reader and Acrobat X 10.0.2 and all earlier versions. There are already reports that the vulnerability is being exploited using crafted .swf files embedded in Microsoft Word .doc files which are sent as an email attachment. The vulnerability can, when exploited appropriately, allow an attacker to take control of a system.

The Krebs on Security blog reports that the vulnerability has been used as part of a targeted spear-phishing campaign disguised as important government documents and launched against organisations or individuals who work for the US government. Another example of the attack shows an email with a title of "Disentangling Industrial Policy and Competition Policy In China" with a supposed copy of an article on that subject attached.

Adobe says it is unaware of any attacks that have targeted Adobe Reader and Acrobat and say Reader X's protected mode would have mitigated against exploitation of the vulnerability. There is no date for when Adobe plans to release updates to close the hole; the company says it is still "finalizing a schedule" to deliver any updates. It does say that Adobe Reader X will be updated on its next scheduled Patch Tuesday, 14 June, because of the mitigation offered by its protected mode.

Last month, a similar zero-day vulnerability was patched by Adobe; in this case it was being exploited by use of a crafted .swf file embedded in an Excel file. Google's auto-updates to Chrome allowed them to close that hole days before Adobe release its patch.

(djwm)