Adobe issued its second bulletin in four weeks about a critical Flash vulnerability. This time, attackers are using a Word document with Flash embedded.
For
the second time in four weeks, Adobe warned users of a critical vulnerability
in its Flash Player that could potentially allow an attacker to take remote
control of the compromised system.
Attackers
are exploiting the latest Flash Player bug by embedding malicious Flash files
within a Microsoft Word document that is emailed to users as an attachment,
Adobe said in a
security
advisory (CVE-2011-0611) issued April 11. The company did not give any
indication as to when the bug will be patched, as it was "finalizing a
schedule."
The
same vulnerability also exists in Adobe Reader and Acrobat, as they can both
read Flash content inserted in PDF files. However, Adobe said it was not aware
of any attacks via PDF targeting Adobe Reader and Acrobat currently in the
wild.
If
executed, the rogue Word document could cause the system to crash and allow
attackers to take control of the affected system, according to the advisory.
The
previously disclosed
Flash
bug, patched March 21, was very similar, except attackers used a rogue
Excel spreadsheet to hide its malicious Flash code.
RSA
Security revealed on April 1 that cyber-criminals used the Excel
spreadsheet exploit to gain entry into RSA's network and steal information
related to the SecurID two-factor authentication technology.
Like
the previous Flash bug, this latest one is neutralized in Adobe Reader X, which
utilizes a sandbox that prevents the exploit from executing.
Adobe
will be fixing the issue on all affected software with the exception of Adobe
Reader X, in a practice Chester Wisniewski, senior security adviser at Sophos,
called "distasteful" on the
NakedSecurity
blog.
"It's
great that the sandbox is working against some of these exploits, but it
suggests it is OK to consume malicious code because you have
'protection,'" Wisniewski said.
Users
can revert to either Adobe Reader 8 or upgrade to Adobe Reader X. Reader X is
available only for Windows users.
One
instance of the malicious Word document seen in the wild is named
"Disentangling Industrial Policy and Competition Policy," which is sent to
targeted recipients as an attachment, according to Mila Parkour, the
independent security researcher who reported the latest flaw to Adobe. The
sample she saw claimed the document was a copy of the American Bar
Association's Antitrust Source newsletter, Parkour wrote on her
Contagio
Malware Dump blog.
The
email message's subject line is similar to the file name, and reads,
"Disentangling Industrial Policy and Competition in China," Parkour said. The
body of the message claims the article would be of interest to anyone wanting
to know about China's Anti-Monopoly Law.
Considering
that the most recent issue of Antitrust Source contains a legitimate article by
the same name, which is available on the newsletter's Website, it's likely that
people would fall for the ruse, especially if they were members of the legal
community.
The
document has been used in targeted spear-phishing campaigns against select
organizations and individuals working with the U.S. government, according to
Brian Krebs on
Krebs
on Security.
Currently,
Commtouch is the only major antivirus vendor whose security software correctly
detects the malicious Word document, according to VirusTotal, a service that
analyzes suspicious files and checks them against 42 major antivirus products.
The
vulnerability impacts Adobe Flash Player 10 on all operating systems and Adobe
Reader 9 and X for Windows and Macintosh, according to the advisory. It does
not affect Adobe Reader for Android, Unix or Adobe Reader/Acrobat 8.
Email
Print
