Adobe has acknowledged a zero-day flaw in its Flash Player and is finalising a fix for the issue.
According to an advisory from Adobe, the critical vulnerability could cause a crash and potentially allow an attacker to take control of the affected system.
It confirmed that the vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (XLS) file delivered as an email attachment. The XLS file is used to set up machine memory to take advantage of a crash triggered by the corrupted .swf file. The final step of the attack is to install persistent malware on the victim's machine.
Brad Arkin, senior director of product security and privacy at Adobe, said: “Reports that we have received thus far indicate the attack is targeted at a very small number of organisations and limited in scope.
“We have not received reports or malicious samples of attacks leveraging this vulnerability via PDF files. However, attackers have leveraged these type of Flash Player vulnerabilities in the past via PDF files to attack the embedded authplay.dll component shipping with Adobe Reader and Acrobat v9.”
Adobe said that it was not aware of attacks targeting Adobe Reader and Acrobat, as Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.
It said that it is in the process of finalising a fix for the issue and expects to make an update available during the week of 21st March 2011. Due to the protection offered by Adobe Reader X Protected Mode, it said that it is currently planning to address this issue with the next quarterly security update for Adobe Reader, currently scheduled for 14th June.
Arkin said: “Adobe Reader X Protected Mode (aka ‘sandboxing') is designed to prevent the type of exploit we are currently seeing in the .swf/XLS attack from executing. Even if an attacker made the transition to a PDF container for the exploit, the sandbox would prevent the final step of malicious software installation on the victim's machine.
“We considered providing an out-of-cycle update for Adobe Reader X as well, which would have delayed the current patch release schedule by about another week. However, given the mitigation provided by the Adobe Reader X sandbox and the absence of attacks via PDF, we determined that an out-of-cycle update would incur unnecessary churn and patch management overhead on our users not justified by the associated risk, in particular for customers with large managed environments.”
The affected software versions are: Adobe Flash Player 10.2.152.33 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems; Adobe Flash Player 10.2.154.18 and earlier for Chrome users; Adobe Flash Player 10.1.106.16 and earlier for Android; and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems. Adobe confirmed that Adobe Reader 9.x for Unix, Adobe Reader for Android and Adobe Reader and Acrobat 8.x are not affected by this issue.
Wolfgang Kandek, CTO at Qualys, said: “Adobe Flash is embedded in Adobe Acrobat and Reader, so both of these software packages are also vulnerable to the attack. Users of Adobe Reader X are not vulnerable to the exploit as the sandboxing technology included in Reader X prevents the code from executing.
“We recommend installing/updating your installations of Adobe Reader to this newest version, as this occurrence highlights the increased robustness gained from the sandboxing.”