Adobe issued a security bulletin about a critical vulnerability that could compromise user systems and promised a fix next week. An exploit already exists as an Excel spreadsheet with Flash embedded.
Adobe will be fixing a
critical vulnerability in its Flash Player, Adobe Acrobat and Reader X. There
are already exploits in the wild for Flash, Adobe said.
When exploited, this
critical vulnerability could crash the system or allow the attacker to take
complete control of the affected system, Adobe said in a security
March 14. Attackers were using a malicious Flash file embedded in
a Microsoft Excel file that is attached to an e-mail message, Adobe said.
The vulnerability affects
the latest versions of Adobe Flash Player for Windows, Mac OS X, Linux, Solaris
and Chrome. It also exists in the authplay.dll file that ships with Adobe
Reader and Acrobat X (10.0.1), as well as earlier 10.x and 9.x versions for
Windows and Macintosh. Adobe Reader 9.x for UNIX, Adobe Reader for Android, and
Adobe Reader and Acrobat 8.x are not affected, Adobe said.
Researchers questioned why
Excel spreadsheets needed to have Flash support in the first place. "I don't
really see the point of embedded SWFs inside Excel documents," said Roel
, senior malware researcher at Kaspersky Lab.
Calling it a clear example
of when "too much functionality in a product is not a good thing," Schouwenberg
said Microsoft should allow users to turn off excess features. Alternatively,
Adobe could refuse these kinds of integrations to "reduce the attack surface,"
Schouwenberg said he was
able to run the exploit on Windows XP but not on Windows 7. A different
technique would probably be able to exploit the vulnerability under Windows 7,
Adobe has yet to see the
exploits targeting Acrobat or Reader. In the event of a Reader exploit, Adobe
Reader X's "Protected Mode" would prevent the malicious exploit from executing,
Adobe is working on a fix for
the vulnerability and will release an update for Flash Player 10.x and earlier
versions for Windows, Mac, Linux, Solaris and Android, Adobe Acrobat and some
versions of Reader during the week of March 21, according to the advisory.
Adobe will not update Adobe Reader X until the next regular quarterly update
scheduled for June 14.
An out-of-cycle update for
Adobe Reader X would have delayed the current patch release schedule by another
week, Brad Arkin, senior director of product security and privacy at Adobe,
wrote on the Adobe
Secure Software Engineering Team
blog. An out-of-cycle update would also
"incur unnecessary churn and patch-management overhead" considering that the
risks are low for Reader X users, the team said.
Considering that Reader X
would be able to prevent the exploit from executing, users should go ahead and
update their software to this version, said Wolfgang Kandek, CTO of Qualys.
"This occurrence highlights the increased robustness gained from the sand-boxing,"
Adobe is expected to still
release Flash Player 10.2 for mobile devices on March 18. The latest version
will already have this vulnerability fixed, Wiebke Lips, an Adobe spokesperson,
The exploit targeting this
vulnerability was reported to Adobe from a third party as part of the company's
Product Security Incident Response Team activities, Lips said.