Adobe Warns of Another Critical Flash Zero-Day Bug

Adobe issued its second bulletin in four weeks about a critical Flash vulnerability. This time, attackers are using a Word document with Flash embedded.

For the second time in four weeks, Adobe warned users of a critical vulnerability in its Flash Player that could potentially allow an attacker to take remote control of the compromised system.

Attackers are exploiting the latest Flash Player bug by embedding malicious Flash files within a Microsoft Word document that is emailed to users as an attachment, Adobe said in a security advisory (CVE-2011-0611) issued April 11. The company did not give any indication as to when the bug will be patched, as it was "finalizing a schedule."

The same vulnerability also exists in Adobe Reader and Acrobat, as they can both read Flash content inserted in PDF files. However, Adobe said it was not aware of any attacks via PDF targeting Adobe Reader and Acrobat currently in the wild.

If executed, the rogue Word document could cause the system to crash and allow attackers to take control of the affected system, according to the advisory.

The previously disclosed Flash bug, patched March 21, was very similar, except attackers used a rogue Excel spreadsheet to hide its malicious Flash code. RSA Security revealed on April 1 that cyber-criminals used the Excel spreadsheet exploit to gain entry into RSA's network and steal information related to the SecurID two-factor authentication technology.

Like the previous Flash bug, this latest one is neutralized in Adobe Reader X, which utilizes a sandbox that prevents the exploit from executing.

Adobe will be fixing the issue on all affected software with the exception of Adobe Reader X, in a practice Chester Wisniewski, senior security adviser at Sophos, called "distasteful" on the NakedSecurity blog.

"It's great that the sandbox is working against some of these exploits, but it suggests it is OK to consume malicious code because you have 'protection,'" Wisniewski said.

Users can revert to either Adobe Reader 8 or upgrade to Adobe Reader X. Reader X is available only for Windows users.

One instance of the malicious Word document seen in the wild is named "Disentangling Industrial Policy and Competition Policy," which is sent to targeted recipients as an attachment, according to Mila Parkour, the independent security researcher who reported the latest flaw to Adobe. The sample she saw claimed the document was a copy of the American Bar Association's Antitrust Source newsletter, Parkour wrote on her Contagio Malware Dump blog.

The email message's subject line is similar to the file name, and reads, "Disentangling Industrial Policy and Competition in China," Parkour said. The body of the message claims the article would be of interest to anyone wanting to know about China's Anti-Monopoly Law.

Considering that the most recent issue of Antitrust Source contains a legitimate article by the same name, which is available on the newsletter's Website, it's likely that people would fall for the ruse, especially if they were members of the legal community.

The document has been used in targeted spear-phishing campaigns against select organizations and individuals working with the U.S. government, according to Brian Krebs on Krebs on Security.

Currently, Commtouch is the only major antivirus vendor whose security software correctly detects the malicious Word document, according to VirusTotal, a service that analyzes suspicious files and checks them against 42 major antivirus products.

The vulnerability impacts Adobe Flash Player 10 on all operating systems and Adobe Reader 9 and X for Windows and Macintosh, according to the advisory. It does not affect Adobe Reader for Android, Unix or Adobe Reader/Acrobat 8.