Adobe warns of Flash Player zero-day attack

Adobe warns of Flash Player zero-day attack

Summary: Malicious hackers are using rigged Microsoft Excel files to exploit a zero-day flaw in Adobe's ubiquitous Flash Player software.

SHARE:

Malicious hackers are using rigged Microsoft Excel files to exploit  a zero-day flaw in Adobe's ubiquitous Flash Player software.

A security advisory from Adobe says the "critical" vulnerability affects the latest versions of Adobe Flash Player for Windows, Mac OS X, Linux, Solaris and Chrome.   It also exists in the authplay.dll component that ships with Adobe Reader and Acrobat X.

"There are reports that this vulnerability is being exploited in the wild in very limited, targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file and delivered as an email attachment," the company warned.

From Adobe's alert:follow Ryan Naraine on twitter

This vulnerability (CVE-2011-0609) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment. Adobe is not currently aware of attacks targeting Adobe Reader and Acrobat. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.

The company expects to ship a patch for Flash Player 10.x and earlier versions for Windows, Mac, Linux, Solaris and Android on March 21st.

On that date, a new version of Adobe Reader will also be released.

Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, Adobe plans to fix the flaw in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.

The user of embedded SWF (Flash) files in Microsoft Excel has prompted security experts to wonder why Microsoft's spreadsheet program needs to support Flash content.

Topics: Hardware, Browser, Enterprise Software, Linux, Open Source, Operating Systems, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

26 comments
Log in or register to join the discussion
  • RE: Adobe warns of Flash Player zero-day attack

    I think Adobe needs a good kick in the pants. They are in need of some serious security experts. Why would anyone embed a .swf file in an Excel worksheet? Microsoft Windows users should be really offended by the announcement. Having to wait till June for a fix? As it was shown by CanSec West protected mode can be bypassed, using known flaws. So they should update all versions of Flash, or possibly be held accountable.
    Rick_K
    • RE: Adobe warns of Flash Player zero-day attack

      @Rick_K
      the fix for reader is in june, but flash gets the update in march
      KBot
    • RE: Adobe warns of Flash Player zero-day attack

      @Rick_K

      All platforms has exploits. That isn't going to change and it isn't going to go away, e.g., hiring some "serious security experts".

      There are ways to mitigate and in this respect, many organizations, including Microsoft with Windows XP, have been extremely remiss in empowering end users which are anything but security experts.

      If you want to have a sense of what I'm talking about, read on:

      http://mastercobbler.blogspot.com/2008/09/its-shiny.html

      Google was a vanguard in using security APIs that had sat in every copy of Windows 2000 and XP for nearly 10 years. More specifically, MS, Adobe et al could have applied the techniques mentioned in that post to their client applications ages ago... but never did. Windows XP were (and the ones that remain) way more vulnerable.

      -M
      betelgeuse68
    • Why would anyone allow it

      "Why would anyone embed a .swf file in an Excel worksheet?"

      Flash embedded in a spreadsheet? Interesting. Surely MS Office document formats have been the best thing for malware writers. The gift that keeps on giving;-)
      Richard Flude
      • RE: Adobe warns of Flash Player zero-day attack

        @Richard Flude

        Good luck with your clay tablet and stick - I hear it's totally secure!
        tonymcs@...
      • Ah, tonymcs with another insightful post

        There's considerable daylight between a file format that allows executables (huge security target from introduction) and a "clay tablet and stick".

        Sadly the MCSE's ignorance is such they can't see it. You're right tonymcs, clearly no solution to this attack vector;-)
        Richard Flude
      • And windoze fanbuis complain...

        ...about why this isn't on the iPad?

        Keep your swiss cheese security to yourself.
        LTV10
      • RE: Adobe warns of Flash Player zero-day attack

        @Richard Flude While that's true, and one has to wonder about embedding a programming language with documents you're going to receive in email(!)

        Office documents are really appealing because of how ubiquitous they are, and how easy it is to get someone to open them. For example, if someone in the sales team receives and email with an attachment "invitation to tender.doc", that's hard to resist.
        jeremychappell
      • RE: Adobe warns of Flash Player zero-day attack

        @LTV10 that's an absolute joke of a comment. This is such a stupidly small risk unless you're a complete and utter retard. "Hmm, excel file sent from someone I've never heard of....let's open it!" Like come on, and the iPad SHOULD have Flash, it's not like this exploit is happening on actual websites that display flash content and you're going to get hacked if you go there. You are just as stupid as the people who open up the .xls and get attacked by this.
        jmckay417
      • RE: Adobe warns of Flash Player zero-day attack

        <i>@LTV10 that's an absolute joke of a comment. This is such a stupidly small risk unless you're a complete and utter retard.</i><br><br>Oh I agree, but Ryan seems to think it's a big enough threat. <br><br>Besides, most people who use windoze on an exclusive basis are complete and utter retards, anyway. After all, most of them click on every wizard and attachment that they come across. No wonder the security industry gets rich off their stupidity. We probably wouldn't have this problem otherwise.<br><br><i>"Hmm, excel file sent from someone I've never heard of....let's open it!" Like come on, and the iPad SHOULD have Flash, it's not like this exploit is happening on actual websites that display flash content and you're going to get hacked if you go there.</i><br><br>It's not just this particular exploit, but all the other Adobe exploits that seem to come out on a weekly basis that Apple should be concerned about. Just because you're a slave to Flash doesn't mean the whole rest of the internet should be.<br><br><i>You are just as stupid as the people who open up the .xls and get attacked by this.</i> <br><br>I've never done that before. Sounds like maybe you have and are now doing some projecting on me. <br><br>All your anger in the world isn't going to convince Apple to allow Flash on the iPad. Their strong sales and the fact that most of their buyers don't care about Flash proves otherwise.
        LTV10
    • RE: Adobe warns of Flash Player zero-day attack

      @Rick_K
      .swf in Excel spreadsheet maybe is to liven it up just like a bad PowerPoint ; ).
      phatkat
  • RE: Adobe warns of Flash Player zero-day attack

    No flash installed on my Windows 7 machine :)
    shellcodes_coder
    • RE: Adobe warns of Flash Player zero-day attack

      @shellcodes_coder
      But you have to have Flash, that's why iPads don't sell . . . oh, hang-on, there's a mistake somewhere in that logic.
      Wakemewhentrollsgone
  • Bloatware

    The problem with Flash is that it has, over the years, like ALL other Adobe products, turned into bloatware that tries to do more and more every release. No wonder it's impossible to keep secure, how many people at Adobe fully understand all the code? Hopefully the new Adobe products will have a clean start, tight code and enough features to get the job done without throwing every possible rarely used extra in the mix.
    keel
  • Is it me? It seems I'm always reading something

    like this when it comes to Flash?

    Pagan jim
    James Quinn
    • Not only you ...

      @James Quinn ... for over a year, you can read an Adobe vulnerability every week. Check it out ... it was every Thursday last year and every Monday this year.
      wackoae
  • Nothing to worry about :D

    If this only comes in emails, then I have nothing to worry about :D it all falls back to the end user's capability of being <b>self aware of their online security</b>.

    <b><i>It's a no brainer</i></b>
    If you are suspicious of an email sent to you, which managed to bypass your spam filter, it is 99.99% of the time just SPAM (from some fukn Asian spammers, lol, that's what I get 99% of the time in my spam folder; some <i>Asian ). So, simply move it to your spam folder and all this threat talk will be considered trash talk ;)
    MrElectrifyer
    • RE: Adobe warns of Flash Player zero-day attack

      @MrElectrifyer Yeah, because someone emailing you a document called "invitation to tender.xls" isn't appealing at all...

      Or is it?

      This isn't as simple as you'd think - especially of the spammer can actually spell and write recognisable English (as opposed to the normal gibberish).
      jeremychappell
  • Steve Jobs right about Adobe Flash?

    OK, when Steve came out against Flash I was pretty skeptical. In fact I really thought he was wrong. But now, I am leaning towards his way of thinking.
    jscott418-22447200638980614791982928182376
    • RE: Adobe warns of Flash Player zero-day attack

      @jscott418 this comes in an email attachment, it says so right in the article. Why would you be downloading and opening document files when you have no reason to expect them? Or when you don't know the sender on the other end? This is dumb, it's only a security risk if you're retarded enough to go downloading everything sent to your inbox.
      jmckay417