Adobe Systems Inc. is warning of an ongoing attack targeting a critical zero-day vulnerability in Adobe Flash Player that could enable attackers to gain complete control of an affected computer.
Reports that we've received thus far indicate the attack is targeted at a very small number of organizations and limited in scope.
senior director of product security and privacyAdobe Systems Inc.
The software maker issued an advisory, Monday, warning that several security vendors have detected Microsoft Excel files containing an embedded malicious Flash file that attempts to exploit the new Flash Player zero-day vulnerability.
Adobe said the hole exists on all supported versions of Adobe Flash Player for Windows, Macintosh, Linux, and Flash Player for Google Chrome and Android platforms. The latest versions of Adobe Reader and Acrobat are also affected. The vulnerable component is also in Adobe Reader X, the latest version of Adobe Reader, but Reader X prevents an attacker from leaving the isolated Adobe Reader sandbox to infect the computer, wrote Brad Arkin, Adobe's senior director of product security and privacy, in the company's blog.
"Reports that we've received thus far indicate the attack is targeted at a very small number of organizations and limited in scope," Arkin said.
Once the vulnerability is exploited the attacker attempts to install persistent malware on the victim's machine, Arkin said. While attacks have been limited to Microsoft Excel files, Arkin said PDF files embedded with malicious code can also be used to exploit the hole.
Adobe is still working on an out-of-cycle patch to repair the flaw. An update will be pushed out to most systems during the week of March 21, Adobe said. Adobe Reader X will be updated in the next quarterly security update for Adobe Reader, currently scheduled for June 14.
In the SecureList blog, Kaspersky Lab senior malware researcher Roel Schouwenberg said cybercriminals have designed the Flash Player attack to easily slip past antispam filters. "From my point of view, this is a clear example of too much functionality in a product leading to security problems," Schouwenberg said, adding that Microsoft or Adobe should take steps to prevent people from embedding Flash (SWF) files in Microsoft Excel.
"Call me old-fashioned, but I don't really see the point of embedded SWFs inside Excel documents," he said.