informa
/
Vulnerabilities/Threats
News

Adobe Warns Of Active Flash Attack

The critical, zero-day vulnerability affects most recent versions of Flash, Reader, and Acrobat, although apparently not Reader X on Windows.
10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches

Attackers are currently exploiting a zero-day vulnerability in Adobe Flash Player. Adobe said that attackers can exploit the bug to crash or take control of a system. All versions of Flash 10.x for Windows, Macintosh, Linux, Solaris, and Android are vulnerable.

According to Adobe's security advisory, issued on Monday, "there are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment." Since Flash Player is also built into Adobe Reader and Acrobat, both these products are also at risk. To date, however, this vulnerability apparently hasn't been exploited using those products.

Some user action is required for the attack to succeed. "The target must open a malicious XLS file for a vulnerability in Flash to be exploited," said Kaspersky Lab security researcher Roel Schouwenberg, in a blog post. He has confirmed that the vulnerability can be exploited on Windows XP systems. While the attack that's currently in the wild doesn't appear to work on Windows 7 systems, he warned that attackers could easily adapt it to do so, using return-oriented programming techniques.

No patch yet exists for the vulnerability, though Adobe plans to release a fix for some products during the week of March 21. That update will patch Flash Player 10.x (and earlier versions) for Windows, Macintosh, Linux, Solaris, and Android, as well as Reader X on Macintosh and Reader 9.4.2 (and earlier) on Windows.

Interestingly, Adobe isn't planning to patch Adobe Reader X until June 14, 2011, which is the currently scheduled date for its next quarterly patch release. That's because the software's protected mode -- aka sandbox -- should prevent this exploit from being able to execute, Adobe said.

But as news of the vulnerability surfaced, some security researchers have asked why anyone would ever need to run a Shockwave file from an Excel spreadsheet. "This is a clear example of too much functionality in a product leading to security problems," said Kaspersky's Schouwenberg. "As such, it would be great if Microsoft would allow us to turn off these excess features. Or, alternatively, Adobe could disallow such integration to reduce the attack surface."

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5