We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Hackers exploiting Flash zero-day, Adobe confirms

Will update Flash, Reader, Acrobat next week

Adobe has confirmed that attackers are exploiting an unpatched bug in Flash Player using Microsoft Excel documents.

The company will patch Flash next week and will also update Adobe Reader, which includes code that renders Flash content inserted in PDF files.

"They have exploits out in the wild, so they're moving pretty quickly," said Wolfgang Kandek, chief technology officer at Qualys. "That's commendable."

According to a security advisory, attackers are exploiting the vulnerability by embedding malicious Flash files within a Microsoft Excel document sent as an email attachment.

Adobe said it wasn't aware of any attacks directed at Reader or Acrobat, the popular PDF viewer and commercial PDF creator.

"This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system," Adobe acknowledged in its advisory.

Brad Arkin, the company's director of product security and privacy, offered up more information in a blog. "Reports thus far indicate the attack is targeted at a very small number of organisations and limited in scope," Arkin said.

After exploiting the Flash vulnerability, hackers are infecting systems with additional malware.

Social engineering

The Excel file is simply the delivery mechanism for the malicious Flash code that's exploiting the vulnerability, an Adobe spokeswoman confirmed.

"Hackers use whatever mechanism makes sense, and Excel files are generally trusted documents," said Kandek. "So [the Excel document] is just part of the social engineering element here."

Patch plans

Adobe will patch Flash, Reader and Acrobat next week - the company did not specify which day, but it often releases security fixes on Tuesday - but will not update Reader X, the newest version of the viewer that includes an anti-exploit 'sandbox' designed to stymie most attacks.

Reader X's sandbox blocks the current attacks, Arkin said, and would also prevent malware from being installed if hackers switch to delivering the exploit in malicious PDFs, a frequently used tactic with Flash exploits.

Adobe decided not to update Reader X next week because building a fix would delay the release of the Flash, Reader and Acrobat updates by a week.

"Given the mitigation provided by the Adobe Reader X sandbox and the absence of attacks via PDF, we determined that an out-of-cycle update would incur unnecessary churn and patch management overhead on our users not justified by the associated risk," said Arkin.

Reader X will get a patch at the next regularly scheduled update on June 14, Arkin added.

Users should take use the opportunity to update to Reader X, urged Kandek. "This is good example of how sandboxing provides additional hardening," he said. "At [Pwn2Own] last week, no one attempted to exploit [Google's] Chrome, for example. I think that had to do with the additional sandboxing in Chrome."

Reader X can be downloaded from Adobe's site; only the Windows version includes the sandbox technology, however.

Adobe last patched Flash and Reader February 8 when it shipped fixes for 42 flaws in the two programs.

See also: Adobe Reader X thwarts PDF malware attack


IDG UK Sites

Best Black Friday 2014 tech deals: Get bargains on smartphones, tablets, laptops and more

IDG UK Sites

Tomorrow's World today (or next year)

IDG UK Sites

See how Trunk's animated ad helped Ade Edmondson plug The Car Buying Service

IDG UK Sites

Yosemite tips: Complete Guide to OS X Yosemite