Adobe Systems Inc. is investigating reports of a new zero-day vulnerability affecting a Flash component that is being targeted by attackers in the wild.
In a brief announcement on its Adobe Product Security Incident Response Team blog, Brad Arkin, the company's director for product security and privacy said the potential Flash error affects Adobe Reader and Acrobat 9.1.2 and Adobe Flash Player 9 and 10.
"We are currently investigating this potential issue and will have an update once we get more information," Arkin wrote.
Symantec Corp. said its Security Response researchers recently came into possession of an Adobe Acrobat PDF file that is exploiting an Adobe Flash vulnerability and then drops and executes a Trojan onto a user's system.
"The authors have taken a bug and turned it into an exploit. Once the unsuspecting user visits the website or opens the PDF, this exploit will allow further malware to be dropped on the victim's machine and possibly open a back door," wrote Symantec security researcher Patrick Fitzgerald, on the Symantec security blog.
Fitzgerald said the Flash vulnerability is serious since it could affect multiple products and platforms. Any software that uses Flash is potentially vulnerable. The PDF exploiting the vulnerability includes multiple Flash streams (FWS). Fitzgerald said the Flash component vulnerability is also exploitable on Windows Vista, but the dropped executables do not run if UAC is enabled.
The attacks began surfacing about two days ago, according to Symantec. The Trojan is embedded in a malicious PDF file. Once the Trojan is installed on a victim's machine, it attempts to contact a website to download more malware, said Marc Fossi, manager of research and development for Symantec Security Response.
Flash has a wide install base and is generally targeted in browser-based exploits to install malicious code on a victim's computer. Applications that have wide install bases are popular targets of attackers, because they can exploit the widest number of users through a single vulnerability. So far, Symantec researchers have not discovered any other attack techniques attempting to exploit the Flash vulnerability, Fossi said.
"It is feasible that somebody could write another exploit to take advantage of the vulnerability directly through the flash player," he said. "They could set up a website with a malicious Flash stream … that could be another vector of exploitation, but we have not seen that yet."
Updated with comments from Marc Fossi of Symantec.