New Critical 0-day Flash Vulnerability Exploited via Excel Attachments

Yikes. Yet another security issue that involves Adobe products …

Adobe today has released a new security advisory for Adobe Flash Player, Adobe Reader and Acrobat. All three applications are affected by a critical 0-day vulnerability that is exploited via Excel email attachments. Vulnerable versions are Adobe Flash Player and earlier for all supported desktop operating systems, Adobe Flash Player and earlier for Android and Adobe Reader and Acrobat X, 10.x and 9.x for Windows and Macintosh.

Adobe has confirmed reports that the vulnerability is actively exploited via swf files that are embedded in Microsoft Excel files that are delivered via email attachments. A successful exploit causes a crash of the application and could give an attacker control over the computer system.

A security fix is in the final stages of development, and Adobe estimates that it can be distributed during the next week. Computer users for now should be very cautious when they receive emails with Excel attachments, especially if the sender is unknown. It may be a good idea to open the documents online, for instance via Google Docs instead of a desktop client to block potential attacks.

Protected Mode of Adobe Reader X mitigates the issue according to Adobe, so that the security fix for that version will be delivered with the quarterly security update that is scheduled for June 14.

In short:

  • All Flash Player versions 10 are affected for all supported desktop and mobile operating systems.
  • All versions of Adobe Reader and Acrobat X, 10 and 9 are affected
  • The vulnerability is exploited via Excel email attachments that have a Flash file embedded.
  • A patch will be delivered in the next week

Additional information are available at the Security Advisory over at Adobe’s website.

© Martin Brinkmann for gHacks Technology News, 2011. | Permalink | Add to, digg, facebook, reddit, twitter
Post tags: , , , ,

Link to Original Content

Tags: , , , ,

Comments are closed.