Adobe has released a security update for its Flash Player after reports were made that exploits were available and active.
It said that the updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. The exploit involves tricking a user into opening a Microsoft Word document, usually delivered as an email attachment, that contains malicious Flash content. The exploit for CVE-2013-0633 targets the ActiveX version of Flash Player on Windows.
It also said that malicious Flash content is hosted on websites that target Flash Player in Firefox or Safari on the Mac platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment that contains malicious Flash content.
Patches have been released and are rated as ‘critical'. Jaime Blasco, head of labs at AlienVault, said that it had found several Microsoft Office files containing the exploit that seemed to be part of a spear phishing campaign targeting several industries including the aerospace one.
“One of the files was using the 2013 IEEE Aerospace Conference schedule as a lure to trick the user into opening the file,” he said.
“The .doc files contain an embedded Flash file with no compression or obfuscation. The Flash file has an embedded executable file that is the actual payload delivered to the victim. It is worth mentioning that the executable file isn't obfuscated at all that means most of the security products should be able to detect this threat using generic signatures.”