Adobe warned today attackers are exploiting a previously unknown security flaw in all supported versions of its Flash Player software. The company said the same vulnerability exists in Adobe Reader and Acrobat, but that it hasn’t yet seen attacks targeting the flaw in those programs.
In an advisory released today, Adobe said malicious hackers were exploiting a critical security hole in Flash (up to and including the latest version of Flash. The software maker warned the vulnerability also exists in Adobe Flash player 10.2.152.33 and earlier versions for Windows, Mac, Linux and Solaris operating systems (10.2.154.13 and earlier for Chrome users), Flash Player 101.106.16 and earlier for Android. In addition, Adobe believes the bug lives in the “authplay.dll” component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Mac systems.
Adobe warns that the security hole is currently being exploited via Flash (.swf) files embedded in a Microsoft Excel document delivered as an email attachment. Why someone would need to embed a Flash file in an Excel document is anyone’s guess.
The company says it is in the process of churning out a fix for the problem, which should be available during the week of March 21.
For those readers wondering whether the security fortifications built into Reader X block this attack, Adobe says you will have to take their word for it: “Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.” Brad Arkin, senior director of product security and privacy for Adobe, said in a blog post that providing an out-of-cycle update for Adobe Reader X would have delayed the current patch release schedule by about another week.
Now is a good time to point out that the “Noscript” plugin for Firefox will block Flash on sites that you have not specifically allowed to load Flash files. If you are looking for alternative PDF readers, there are several.
In other news, Google said Friday that it is seeing some highly targeted and apparently politically motivated attacks against users that abuse a publicly-disclosed vulnerability in Internet Explorer. Microsoft has not issued an official patch for this IE flaw yet, but if you browse the Web with IE, it would be a great idea to take advantage of the FixIt tool that Microsoft has made available to blunt the threat from this vulnerability.