Hackers exploit Flash zero-day, Adobe confirms
Plans to patch Flash, Reader next week, but cites Reader X's sandbox as reason why it won't update newest version
Computerworld - Adobe today confirmed that attackers are exploiting an unpatched bug in Flash Player using Microsoft Excel documents.
The company will patch Flash next week and will also update Adobe Reader, which includes code that renders Flash content inserted in PDF files.
"They have exploits out in the wild, so they're moving pretty quickly," said Wolfgang Kandek, chief technology officer at Qualys. "That's commendable."
According to a security advisory issued Monday, attackers are exploiting the vulnerability by embedding malicious Flash files within a Microsoft Excel document sent as an e-mail attachment.
Adobe said it wasn't aware of any attacks directed at Reader or Acrobat, the popular PDF viewer and commercial PDF creator, respectively.
"This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system," Adobe acknowledged in its advisory.
Brad Arkin, the company's director of product security and privacy, offered up more information in a Monday blog post. "Reports...thus far indicate the attack is targeted at a very small number of organizations and limited in scope," said Arkin.
After exploiting the Flash vulnerability, hackers are infecting systems with additional malware.
The Excel file is simply the delivery mechanism for the malicious Flash code that's exploiting the vulnerability, an Adobe spokeswoman confirmed.
"Hackers use whatever mechanism makes sense, and Excel files are generally trusted documents," said Kandek. "So [the Excel document] is just part of the social engineering element here."
Adobe will patch Flash, Reader and Acrobat next week -- the company did not specify which day, but it often releases security fixes on Tuesday -- but will not update Reader X, the newest version of the viewer that includes an anti-exploit "sandbox" designed to stymie most attacks.
Reader X's sandbox blocks the current attacks, Arkin said, and would also prevent malware from being installed if hackers switch to delivering the exploit in malicious PDFs, a frequently-used tactic with Flash exploits.
Adobe decided not to update Reader X next week because building a fix would delay the release of the Flash, Reader and Acrobat updates by a week. "Given the mitigation provided by the Adobe Reader X sandbox and the absence of attacks via PDF, we determined that an out-of-cycle update would incur unnecessary churn and patch management overhead on our users not justified by the associated risk," said Arkin.
Reader X will get a patch at the next regularly-scheduled update on June 14, Arkin added.
Users should take use the opportunity to update to Reader X, urged Kandek. "This is good example of how sandboxing provides additional hardening," he said. "At [Pwn2Own] last week, no one attempted to exploit [Google's] Chrome, for example. I think that had to do with the additional sandboxing in Chrome."
Reader X can be downloaded from Adobe's site; only the Windows version includes the sandbox technology, however.
Adobe last patched Flash and Reader Feb. 8 when it shipped fixes for 42 flaws in the two programs.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at
@gkeizer or subscribe to Gregg's RSS feed
. His e-mail address is gkeizer@computerworld.com.
Read more about Security in Computerworld's Security Topic Center.


- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Driving Secure Enterprise File Sharing and Syncing in the Enterprise
- GroupLogic's new activEcho is the industry's only secure Enterprise File Sharing and Synching solution that balances the need for simplicity for the end...
- The Enterprise File Sharing Option
- Enterprises and IT departments need to address several critical security issues when considering file sharing and syncing products. Many of today's solutions do...
- Security Strategies to Virtualizing Internet-Facing Applications
- The IT organization at Intel has set a goal to transition their enterprise to a private cloud for their Office and Enterprise applications....
- Cloud Security Planning Guide
- Cloud security considerations span protecting hardware and platform technologies in the data center to enabling regulatory compliance and defending cloud access through different...
- Cloud Security Vendor Round Table
- This vendor round table guide will help you to evaluate different cloud technology vendors and service providers based on a series of questions... All Security White Papers
- Live Webcast
Data Privacy and Protection in Production Environments: New Research from Ponemon Institute - Date: Wednesday, June 13, 2012, 1:00 PM EDT / 10:00 AM PDT
In a recent study conducted by Ponemon Institute, fifty-five percent of respondents... - Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- Date: Wednesday, June 13, 2012, 1:00 PM EDT / 10:00 AM PDT
In a recent study conducted by Ponemon Institute, fifty-five percent of respondents... - Security Certifications 101 - BlackBerry and all those acronyms what do they mean and why they matter?
- FIPS, Common Criteria, CAPS, AISEP, NFC, NIST, Fraunhofer SIT, CESG, DSD - these are just some of the government and industry certifications which...
- BlackBerry PlayBook OS 2.0 Security Overview
- The presentation provides an overview of BlackBerry PlayBook OS 2.0 security capabilities and features, including: BlackBerry® Balance™ technology, BlackBerry® Bridge, data-at-rest protection, and...
- BlackBerry NFC Security Overview
- The presentation on NFC security will provide an overview of the security protections built into the BlackBerry platform to protect users, application developers...
- Playing Defense: Staying on Top of Your Disaster Recovery Game
- When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing... All Security Webcasts