Adobe advises of Flash flaw exploited via Excel docs

Share this article:

Adobe on Monday warned of a "critical" zero-day vulnerability in Flash Player that attackers currently are exploiting through Microsoft Excel files.

The flaw, which impacts Flash 10.2.152.33 and earlier versions, also impacts Reader and Acrobat because the authplay.dll component, which ships with the popular PDF software, is flawed, according to an Adobe blog post. Reader and Acrobat X 10.0.01 and earlier versions for Windows and Macintosh are affected.

Wendy Poland, a security response program manager at Adobe, said in the post that the company has fielded reports of attackers taking advantage of the vulnerability by embedding a malicious SWF (Flash) file in an XLS (Excel) document, delivered as an email attachment. The company is not aware of any exploits targeting Reader or Acrobat.

A patch is due March 21.

Roel Schouwenberg, senior anti-virus researcher at Kaspersky Lab, said he doesn't think Microsoft and Adobe should allow integration of their two products in this way. But he understands why attackers are taking advantage.

"This kind of structure is a perfect setup for targeted attacks," Schouwenberg wrote in a Monday blog post. "And not surprisingly, targeted attacks have indeed been reported...The reason why the attackers are using Excel as a delivery vehicle is simple. This way the attack can easily be delivered through email. So be extra cautious when you receive XLS files you didn't request."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.