Adobe has acknowledged that hackers have begun to exploit a critical zero-day vulnerability present in the company’s Flash player to target and steal sensitive data, primarily from organizations, according to a security bulletin issued by the company this week.
The attack consists of hackers sending corrupted Flash files via email to corporate employees disguised as an Excel attachment.
"This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe officials stated in Monday’s security bulletin. “There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment.”
That Excel file wouldn’t ordinarily cause suspicion among most employees, making it a good vehicle for such attacks, Qualys CTO Wolfgang Kandek told Computer World. "Hackers use whatever mechanism makes sense, and Excel files are generally trusted documents. So it is just part of the social engineering element here."
Adobe officials state in the security bulletin that most customers can expect a patch sometime next week:
“We are in the process of finalizing a fix for the issue and expect to make available an update for Flash Player 10.x and earlier versions for Windows, Macintosh, Linux, Solaris and Android, and an update for Adobe Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.1) for Macintosh, and Adobe Reader 9.4.2 and earlier 9.x versions during the week of March 21, 2011. “
Notably absent from that group of software patches, however, is Adobe Reader X for Windows which the company says won’t be patched until the next scheduled quarterly security update on June 14th.
Brad Arkin, Adobe director of product security and privacy, defended the company’s plans to hold off on that patch.
"Given the mitigation provided by the Adobe Reader X sandbox and the absence of attacks via PDF, we determined that an out-of-cycle update would incur unnecessary churn and patch management overhead on our users not justified by the associated risk," Arkin said. Sandboxing creates a confined environment for running untrusted applications to reduce the amount of destruction that a malicious app will cause.
So get ready to patch your Flash players next week and, as always, use common sense when opening any type of file from someone you don’t recognize or in an email that doesn’t look quite right.
