The Flash Player vulnerability for versions 10.2.153.1 and earlier affects Windows, Mac, Linux, and Solaris, in addition to separate versions for Chrome and Android. Adobe said the vulnerability also affects the Authplay.dll component of Adobe Reader and Acrobat (versions 10.x and 9.x) for Windows and Mac.
The security vulnerability (CVE-2011-0611) could result in a system crash and “allow and attacker to take control of the affected system”, according to the Adobe advisory.
Adobe said there are reports of the vulnerability being actively exploited in the wild via “targeted attacks”. Attacks are propagated via a maliciously crafted Flash file embedded in a Microsoft Word document, delivered as an email attachment.
The company added that it is not aware of any PDF attacks against Adobe Reader or Acrobat, and that the risk to Adobe Reader X users should be “significantly lower” because the attack method does not bypass the software’s sandbox mode.
This latest vulnerability is the second in the last month to use documents from the Microsoft Office suite to deliver a malicious payload. Earlier in April it was revealed that another Flash vulnerability was used to compromise RSA’s SecurID two-factor authentication product in a widely publicized data breach that occurred in March.
Adobe did not specify a timeline for delivering a Flash update, but the firm said it was currently finalizing a schedule to update the affected operating systems. The company said it would not address the issue for Adobe Reader X until the product’s next quarterly update in June, because the sandboxed reader “would prevent an exploit of this kind from executing”.