Adobe Promises Flash, Acrobat and Reader Fix for Zero-Day Bug

Adobe issued a security bulletin about a critical vulnerability that could compromise user systems and promised a fix next week. An exploit already exists as an Excel spreadsheet with Flash embedded.

Adobe will be fixing a critical vulnerability in its Flash Player, Adobe Acrobat and Reader X. There are already exploits in the wild for Flash, Adobe said.

When exploited, this critical vulnerability could crash the system or allow the attacker to take complete control of the affected system, Adobe said in a security advisory March 14. Attackers were using a malicious Flash file embedded in a Microsoft Excel file that is attached to an e-mail message, Adobe said.

The vulnerability affects the latest versions of Adobe Flash Player for Windows, Mac OS X, Linux, Solaris and Chrome. It also exists in the authplay.dll file that ships with Adobe Reader and Acrobat X (10.0.1), as well as earlier 10.x and 9.x versions for Windows and Macintosh. Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected, Adobe said.

Researchers questioned why Excel spreadsheets needed to have Flash support in the first place. "I don't really see the point of embedded SWFs inside Excel documents," said Roel Schouwenberg, senior malware researcher at Kaspersky Lab.

Calling it a clear example of when "too much functionality in a product is not a good thing," Schouwenberg said Microsoft should allow users to turn off excess features. Alternatively, Adobe could refuse these kinds of integrations to "reduce the attack surface," he said.

Schouwenberg said he was able to run the exploit on Windows XP but not on Windows 7. A different technique would probably be able to exploit the vulnerability under Windows 7, he said.

Adobe has yet to see the exploits targeting Acrobat or Reader. In the event of a Reader exploit, Adobe Reader X's "Protected Mode" would prevent the malicious exploit from executing, Adobe said.

Adobe is working on a fix for the vulnerability and will release an update for Flash Player 10.x and earlier versions for Windows, Mac, Linux, Solaris and Android, Adobe Acrobat and some versions of Reader during the week of March 21, according to the advisory. Adobe will not update Adobe Reader X until the next regular quarterly update scheduled for June 14.

An out-of-cycle update for Adobe Reader X would have delayed the current patch release schedule by another week, Brad Arkin, senior director of product security and privacy at Adobe, wrote on the Adobe Secure Software Engineering Team blog. An out-of-cycle update would also "incur unnecessary churn and patch-management overhead" considering that the risks are low for Reader X users, the team said.

Considering that Reader X would be able to prevent the exploit from executing, users should go ahead and update their software to this version, said Wolfgang Kandek, CTO of Qualys. "This occurrence highlights the increased robustness gained from the sand-boxing," he said.

Adobe is expected to still release Flash Player 10.2 for mobile devices on March 18. The latest version will already have this vulnerability fixed, Wiebke Lips, an Adobe spokesperson, told eWEEK.

The exploit targeting this vulnerability was reported to Adobe from a third party as part of the company's Product Security Incident Response Team activities, Lips said.