The flaw affects Adobe Flash Player 10.2.152.33 and earlier versions (Adobe Flash Player 10.2.154.18 and earlier for Chrome users) for Windows, Mac, Linux and Solaris operating systems; Adobe Flash Player 10.1.106.16 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions of Reader and Acrobat for Windows and Mac operating systems.
Adobe said that there are reports that the flaw is being exploited in the wild via targeted attacks against a Flash file embedded in a Microsoft Excel file delivered as an email attachment. The company stressed that it is not aware of attacks targeting Reader or Acrobat, noting that the Adobe Reader X sandbox would prevent execution of an attack.
Brad Arkin, senior director of product security and privacy at Adobe, wrote in a blog: “Reports that we’ve received thus far indicate the attack is targeted at a very small number of organizations and limited in scope. The current attack leverages a malicious Flash (.swf) file inside a Microsoft Excel (.xls) file. The .xls file is used to set up machine memory to take advantage of a crash triggered by the corrupted .swf file. The final step of the attack is to install persistent malware on the victim’s machine.”
Arkin added that “out of a preponderance of caution we took the decision to ship out-of-cycle updates for Adobe Reader and Acrobat v9, and Acrobat X to mitigate the risk of attackers shifting the attack from an .xls container to a .pdf container.”