Attackers are currently exploiting a zero-day vulnerability in Adobe Flash Player. Adobe said that attackers can exploit the bug to crash or take control of a system. All versions of Flash 10.x for Windows, Macintosh, Linux, Solaris, and Android are vulnerable.
According to Adobe's security advisory, issued on Monday, "there are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment." Since Flash Player is also built into Adobe Reader and Acrobat, both these products are also at risk. To date, however, this vulnerability apparently hasn't been exploited using those products.
Some user action is required for the attack to succeed. "The target must open a malicious XLS file for a vulnerability in Flash to be exploited," said Kaspersky Lab security researcher Roel Schouwenberg, in a blog post. He has confirmed that the vulnerability can be exploited on Windows XP systems. While the attack that's currently in the wild doesn't appear to work on Windows 7 systems, he warned that attackers could easily adapt it to do so, using return-oriented programming techniques.
No patch yet exists for the vulnerability, though Adobe plans to release a fix for some products during the week of March 21. That update will patch Flash Player 10.x (and earlier versions) for Windows, Macintosh, Linux, Solaris, and Android, as well as Reader X on Macintosh and Reader 9.4.2 (and earlier) on Windows.
Interestingly, Adobe isn't planning to patch Adobe Reader X until June 14, 2011, which is the currently scheduled date for its next quarterly patch release. That's because the software's protected mode -- aka sandbox -- should prevent this exploit from being able to execute, Adobe said.
But as news of the vulnerability surfaced, some security researchers have asked why anyone would ever need to run a Shockwave file from an Excel spreadsheet. "This is a clear example of too much functionality in a product leading to security problems," said Kaspersky's Schouwenberg. "As such, it would be great if Microsoft would allow us to turn off these excess features. Or, alternatively, Adobe could disallow such integration to reduce the attack surface."