Adobe advises of Flash flaw exploited via Excel docs

Share this article:

Adobe on Monday warned of a "critical" zero-day vulnerability in Flash Player that attackers currently are exploiting through Microsoft Excel files.

The flaw, which impacts Flash 10.2.152.33 and earlier versions, also impacts Reader and Acrobat because the authplay.dll component, which ships with the popular PDF software, is flawed, according to an Adobe blog post. Reader and Acrobat X 10.0.01 and earlier versions for Windows and Macintosh are affected.

Wendy Poland, a security response program manager at Adobe, said in the post that the company has fielded reports of attackers taking advantage of the vulnerability by embedding a malicious SWF (Flash) file in an XLS (Excel) document, delivered as an email attachment. The company is not aware of any exploits targeting Reader or Acrobat.

A patch is due March 21.

Roel Schouwenberg, senior anti-virus researcher at Kaspersky Lab, said he doesn't think Microsoft and Adobe should allow integration of their two products in this way. But he understands why attackers are taking advantage.

"This kind of structure is a perfect setup for targeted attacks," Schouwenberg wrote in a Monday blog post. "And not surprisingly, targeted attacks have indeed been reported...The reason why the attackers are using Excel as a delivery vehicle is simple. This way the attack can easily be delivered through email. So be extra cautious when you receive XLS files you didn't request."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Federal Trade Commission appoints new chief technologist

The government agency has announced Ashkan Soltani as its new chief technologist, according to a release.

Cybercriminals continue to piggyback on Ebola news

Email samples discovered by researchers at Trustwave reveal how attackers are infecting users with the DarkComet Remote Access Trojan.

ISA president urges state AGs to expand understanding of cybercrime

Speaking at a National Association of State Attorneys General conference, ISA's Larry Clinton asked the AGs to step up efforts to get more resources.