Adobe advises of Flash flaw exploited via Excel docs

Share this article:

Adobe on Monday warned of a "critical" zero-day vulnerability in Flash Player that attackers currently are exploiting through Microsoft Excel files.

The flaw, which impacts Flash 10.2.152.33 and earlier versions, also impacts Reader and Acrobat because the authplay.dll component, which ships with the popular PDF software, is flawed, according to an Adobe blog post. Reader and Acrobat X 10.0.01 and earlier versions for Windows and Macintosh are affected.

Wendy Poland, a security response program manager at Adobe, said in the post that the company has fielded reports of attackers taking advantage of the vulnerability by embedding a malicious SWF (Flash) file in an XLS (Excel) document, delivered as an email attachment. The company is not aware of any exploits targeting Reader or Acrobat.

A patch is due March 21.

Roel Schouwenberg, senior anti-virus researcher at Kaspersky Lab, said he doesn't think Microsoft and Adobe should allow integration of their two products in this way. But he understands why attackers are taking advantage.

"This kind of structure is a perfect setup for targeted attacks," Schouwenberg wrote in a Monday blog post. "And not surprisingly, targeted attacks have indeed been reported...The reason why the attackers are using Excel as a delivery vehicle is simple. This way the attack can easily be delivered through email. So be extra cautious when you receive XLS files you didn't request."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

NIST finalizes cloud computing roadmap

NIST finalizes cloud computing roadmap

The NIST architecture is designed to accelerate the adoption of cloud computing.

Chinese MitM attack targets iCloud users

Chinese MitM attack targets iCloud users

The attack used a false certificate to trick iCloud users into handing over personal data and login credentials. With an attack of this size, some experts and researchers believe the ...

EPIC: driver data shared via V2V technology needs protection

The groups shared comments on V2V communications with the National Highway Traffic Safety Administration.