Adobe has confirmed that an unpatched bug in Flash Player using Microsoft Excel documents is being exploited. Flash will be patched next week and Reader, which contains code that renders Flash content inserted in PDF files will also be updated.
Wolfgang Kandek, CTO at Qualys said "They have exploits out in the wild, so they're moving pretty quickly. That's commendable."
A security advisory issued on Monday stated that attackers are embedding malicious Flash files within an Excel document sent as en email attachment. Adobe said it was not aware of any attacks directed at Reader or Acrobat.
In their advisory, Adobe acknowledged "This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system."
An Adobe spokeswoman confirmed that following the exploit, hackers are infecting systems with additional malware. The Excel file is simply delivering the malicious Flash code that's exploiting the vulnerability.
"Hackers use whatever mechanism makes sense, and Excel files are generally trusted documents," said Kandek. "So [the Excel document] is just part of the social engineering element here."
Adobe has not confirmed which day they will release the patch but it often releases security fixes on Tuesday.
Return to security news headlines
View Security News Archive