Adobe has its hands full with another Flash zero-day vulnerability, this one being actively exploited to target users under the guise of a legitimate Microsoft Word document, the company revealed Monday.
The flaw is present in Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux and Solaris, 10.2.154.25 for Chrome and 10.2.156.12 for Android. The bug also is present in the authplay.dll component that ships with Reader and Acrobat X and earlier versions for Windows and Mac, though Adobe is not aware of any attacks being leveraged via PDF files.
Successful exploitation of the vulnerability could allow an attacker to take complete control of an affected system, according to a bulletin. Miscreants currently are embedding malicious Flash files inside Word documents to distribute the attack.
Nearly all of the popular anti-virus solutions on the market failed to detect the threat, according to reports, though rates should increase now that the issue is public.
Adobe has not determined when a fix for Flash will be available, but if history is any indication, users should not have to wait long.
On March 14, the company revealed another zero-day Flash bug, which was fixed a week later. That vulnerability, exploited through Microsoft Excel files, was used by hackers to gain access to security firm RSA's network to steal information related to its SecurID products.
Meanwhile, the company plans to shore up its Reader and Acrobat products from the latest flaw in the next quarterly release, due June 14. In the meantime, users are encouraged to upgrade to the most recent versions of Reader and Acrobat because the "Protected Mode" capability prevents an exploit like this from executing.