Article

Ongoing attacks target new Adobe Flash Player zero-day flaw

SearchSecurity.com Staff

Adobe Systems Inc. is warning of an ongoing attack targeting a critical zero-day vulnerability in Adobe Flash Player that could enable attackers to gain complete control of an affected computer.

Reports that we've received thus far indicate the attack is targeted at a very small number of organizations and limited in scope.

 

Brad Arkin,
senior director of product security and privacyAdobe Systems Inc.

    Requires Free Membership to View

The software maker issued an advisory, Monday, warning that several security vendors have detected Microsoft Excel files containing an embedded malicious Flash file that attempts to exploit the new Flash Player zero-day vulnerability.

Adobe said the hole exists on all supported versions of Adobe Flash Player for Windows, Macintosh, Linux, and Flash Player for Google Chrome and Android platforms. The latest versions of Adobe Reader and Acrobat are also affected. The vulnerable component is also in Adobe Reader X, the latest version of Adobe Reader, but Reader X prevents an attacker from leaving the isolated Adobe Reader sandbox to infect the computer, wrote Brad Arkin, Adobe's senior director of product security and privacy, in the company's blog.

"Reports that we've received thus far indicate the attack is targeted at a very small number of organizations and limited in scope," Arkin said.

Once the vulnerability is exploited the attacker attempts to install persistent malware on the victim's machine, Arkin said. While attacks have been limited to Microsoft Excel files, Arkin said PDF files embedded with malicious code can also be used to exploit the hole.

Adobe is still working on an out-of-cycle patch to repair the flaw. An update will be pushed out to most systems during the week of March 21, Adobe said. Adobe Reader X will be updated in the next quarterly security update for Adobe Reader, currently scheduled for June 14.

In the SecureList blog, Kaspersky Lab senior malware researcher Roel Schouwenberg said cybercriminals have designed the Flash Player attack to easily slip past antispam filters. "From my point of view, this is a clear example of too much functionality in a product leading to security problems," Schouwenberg said, adding that Microsoft or Adobe should take steps to prevent people from embedding Flash (SWF) files in Microsoft Excel.

"Call me old-fashioned, but I don't really see the point of embedded SWFs inside Excel documents," he said.

~Robert Westervelt


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: