The two vulnerabilities are CVE-2013-0633 and CVE-2013-0634. The former, warns Adobe, is being used by attackers within “a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content.” The latter is being exploited similarly, but also “in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform.”
Both vulnerabilities are clearly being exploited in targeted attacks. In its acknowledgements for reporting the flaws, Adobe notes Kaspersky Labs for the former, and ShadowServer, MITRE and Lockheed Martin for the latter. The Lockheed Martin association is raising eyebrows. “This combination of reporters suggests that the attacks were targeted industrial espionage,” comments Heise Online.
Separately, FireEye has examined the former of the two exploits. “We have identified two unique Word files containing CVE-2013-0633 so far,” it blogged yesterday. “It is interesting to note that even though the contents of Word files are in English, the codepage of Word files are "Windows Simplified Chinese (PRC, Singapore)". The Word files contain a macro to load an embedded SWF flash object.”
It is also worth noting that the modus operandum of these exploits is a typical APT gambit. Last year Trend Micro revealed that more than 90% of successful APT attacks start with spear-phishing via an email containing a malicious attachment. It is probably this combination of defense contractor, China (or at least ‘Chinese’) and APT that has persuaded Adobe to release this emergency patch.
The primary targets are Windows and Mac, but Adobe has also patched Linux and Android. Because of the active, 0-day nature of the attacks, it would be advisable for all users to update Flash as soon as possible – even if they are not defense contractors. The latest, patched versions can be found here.