A zero-day vulnerability in Adobe Flash Player that has been actively exploited at least since March to compromise vulnerable systems and infect them with malware. The malware discovered in the wild was provided as an Excel document embedding specially crafted Flash content. The exploited vulnerability used to infect systems was, however, in Flash Player and not in Excel, which was just used as the delivery mechanism.
How does it work?
The vulnerability is caused by an error in the ActionScript Virtual Machine 2 (AVM2) when handling certain manipulated bytecode. This may result in confusion between object types when e.g. accessing a property and, in this case, leads to uninitialized memory being dereferenced and arbitrary code execution.
Should I be worried?
According to Secunia PSI statistics, 96.1% of all Windows systems have Flash Player installed. This vulnerability, therefore, affects almost all users; anyone not already running the latest version of Flash Player should worry.
How can I prevent it?
Adobe has released fixes for Flash Player (10.2.153.1), Flash Player for Android (10.2.156.12), and AIR (2.6). Google Chrome, which bundles Flash by default, also has an update available (10.0.648.134 and later) and so does Adobe Reader/Acrobat (10.0.2 and 9.4.3).
Source: Carsten Eiram, chief security specialist, Secunia
(editor's note) After we went to press with this May issue, it was revealed that this Adobe flaw was exploited in the hack of RSA in March. Access to RSA's corporate network was opened up when an employee opened an email message with a malicious Excel attachment containing the exploit.