Adobe on Monday warned its customers about a new unpatched vulnerability in its Flash Player application. Officials say that the bug is being used in targeted attacks involving a malicious Flash file embedded in a Microsoft Word document.
The Flash vulnerability affects users on Windows, Apple OS X, Linux and Solaris, as well as customers who use Flash on the Android platform. Adobe security officials said that the vulnerability–which is in Flash 10.2.153.1 and earlier versions–is being exploited by attackers right now through the use of rigged Flash files buried in Word documents.
“This vulnerability (CVE-2011-0611) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment, targeting the Windows platform. At this time, Adobe is not aware of any attacks via PDF targeting Adobe Reader and Acrobat.” Adobe officials said in their security bulletin on Flash.
The Flash bug also affects Adobe Reader and Acrobat, however the sandbox in Adobe Reader X can help prevent exploitation of the vulnerability. Adobe said that they are still in the process of figuring out the patch schedule for Flash and Acrobat. The company plans to patch Reader X in its next scheduled quarterly update, scheduled for June 14.
The news of the latest Flash vulnerability comes about 10 days after officials at RSA acknowledged that the attack that compromised that company’s SecurID product line last month used an Excel spreadsheet that included a malicious Flash file.