News

Adobe warns of Flash Player zero-day exploit via Word document

SearchSecurity.com Staff

Adobe Systems Inc. has issued a security advisory notifying users of a serious Flash Player zero-day vulnerability that could be used by attackers to gain complete control of a system and warning that

Requires Free Membership to View

ongoing attacks are spreading using a malicious Microsoft Word document.  

The flaw affects Adobe Flash Player for Windows, Macintosh, Linux and Solaris and Flash Player for Android and Chrome users. In a security advisory issued Monday, Adobe said the vulnerability could cause a crash and potentially allow an attacker to take control of the affected system. In addition a component in Adobe Reader and Acrobat X for Windows and Macintosh systems is also affected.

“There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment,” Adobe said. “At this time, Adobe is not aware of any attacks via PDF targeting Adobe Reader and Acrobat.”

Adobe said the threat to Reader X users is significantly lower because this issue does not bypass Adobe Reader Protected Mode.

Adobe has not ruled out an out-of-band update to fix the vulnerabilities. Engineers are still testing an update to Flash Player for Windows, Macintosh, Linux, Solaris and Android. The company is also still readying an update for Adobe Reader and Acrobat.

Adobe Reader X for Windows will be updated during the next quarterly security update  scheduled for June 14.

Adobe’s last official update was March 21, when it repaired a Flash Player vulnerability being targeted by attackers using Microsoft Excel files. Adobe also repaired a security problem that affects the authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.