Adobe is warning its users about a critical vulnerability in Flash that affects Adobe Reader and Acrobat, as well. The bug can be used by remote attackers to run arbitrary code and Adobe officials said that they’ve already seen some attacks that are targeting the vulnerability.
The vulnerability in Flash Player affects Reader and Acrobat, both of which include Flash functionality, but it does not affect Reader X. Adobe officials said that Reader X’s Protected Mode sandbox would prevent successful exploits. The company plans to have a patch for the affected products ready by next week for all platforms, including Windows, Mac, Linux, Android and Solaris.
“This vulnerability (CVE-2011-0609) could cause a crash and
potentially allow an attacker to take control of the affected system.
There are reports that this vulnerability is being exploited in the
wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft
Excel (.xls) file delivered as an email attachment. At this time, Adobe
is not aware of attacks targeting Adobe Reader and Acrobat. Adobe
Reader X Protected Mode mitigations would prevent an exploit of this
kind from executing,” Adobe said in its advisory on the bug.
“This kind of structure is a perfect setup for targeted attacks. And
not surprisingly, targeted attacks have indeed been reported,” Kaspersky Lab malware researcher Roel Schouwenberg wrote in a blog post about the bug. “During testing, the particular exploit was not able to run
successfully on Windows 7. It did work on Windows XP. It’s likely though
a ROP-exploit would be able to exploit this vulnerability under Windows
7.”
Even though the new Flash bug apparently wouldn’t be exploitable in Reader X, Adobe plans to update that application in its scheduled quarterly Reader patch release in June.