Adobe Systems Inc. has issued a security advisory notifying users of a serious Flash Player zero-day exploit that could be used by attackers to gain complete control of a system. The software maker warns that ongoing attacks are spreading using a malicious Microsoft Word document.
The flaw affects Adobe Flash Player for Windows, Macintosh, Linux and Solaris as well as Flash Player for Android and Chrome users. In the security advisory issued Monday, Adobe said the vulnerability could cause a crash, setting up a condition that could potentially allow an attacker to execute malicious code on an affected system.
In addition a component in Adobe Reader and Acrobat X for Windows, Macintosh and Unix systems contains a vulnerability, Adobe said. The issue is in the Windows Authplay.dll component shipping with the latest version of Adobe Reader and Acrobat X.
“There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment,” Adobe said. “At this time, Adobe is not aware of any attacks via PDF targeting Adobe Reader and Acrobat.”
Adobe said the threat to Reader X users is significantly lower because this issue does not bypass Adobe Reader Protected Mode.
Adobe has not ruled out an out-of-band update to fix the vulnerabilities. Engineers are still testing an update to Flash Player for Windows, Macintosh, Linux, Solaris and Android. The company is also still readying an update for Adobe Reader and Acrobat.
Adobe Reader X for Windows will be updated during the next quarterly security update scheduled for June 14.
Adobe’s last official update was March 21, when it repaired a Flash Player vulnerability being targeted by attackers using Microsoft Excel files. Adobe also repaired a security problem that affects the authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.