Adobe confirms critical Flash zero-day bug

Second flaw in four weeks exploited using Word attachments

For the second time in the last four weeks, Adobe has told users that hackers are exploiting an unpatched bug in Flash Player, again by embedding malicious code inside a Microsoft Office document.

In a security advisory issued Monday, Adobe said that attackers are exploiting the vulnerability by embedding Flash attack files within a Microsoft Word document sent as an email attachment.

Adobe did not spell out a patch timeline for the newest Flash zero-day.

Four weeks ago, Adobe issued a similar warning about a different flaw that hackers manipulated via attack code tucked inside Excel spreadsheet attachments.

Later, RSA Security confirmed that the March vulnerability had been used by cybercriminals to gain a foothold on its corporate network, then steal information related to the company's SecurID two-factor authentication products.

Adobe patched last month's Flash bug on March 21.

Mila Parkour, the independent security researcher who reported the newest Flash flaw to Adobe, said attackers have inserted a malicious Flash Player file into a Word document named "Disentangling Industrial Policy and Competition Policy," which is then sent to targeted recipients as an attachment.

The email message's subject heading is "Disentangling Industrial Policy and Competition Policy in China," Parkour said in an April 6 entry on her Contagio Malware Dump blog.

One message that Parkour cited claimed the attached Word document was a copy of the American Bar Association's Antitrust Source newsletter, hinting that the target recipients may have been the legal departments at corporations or government agencies.

People seeing the email and attachment could be expected to fall for the ruse, since the most recent issue of Antitrust Source does contain an article by the same name. The legitimate article is available on the newsletter's Web site ( download PDF document ).

Parkour has reported numerous vulnerabilities to Adobe, including one last September in the company's popular PDF viewer, Adobe Reader.

The Flash vulnerability also exists in Adobe Reader and Acrobat, both of which include code that renders Flash content inserted into PDF files.

"At this time, Adobe is not aware of any attacks via PDF targeting Adobe Reader and Acrobat," Adobe said in the advisory.

Last month, ">Microsoft urged Excel users to install and run the Enhanced Mitigation Experience Toolkit (EMET) to block those attacks, and said that Excel 2010 was not susceptible to the exploit because of its "Protected View" sandbox.

While those same recommendations may apply today for Word, Microsoft was not immediately able to confirm that to Computerworld.

Currently, only one anti- virus firm, Commtouch, has issued a signature that tags the rogue Word document as a threat, according to VirusTotal, a free service that analyzes suspicious files.

Flash vulnerabilities are an attractive target to hackers, said Andrew Storms, director of security operations at nCircle Security. When asked if the rash of Flash flaws meant it was time for companies to consider ditching the browser plug-in, Storms answered, "That's going to be incredibly hard due to the pervasiveness of its use in valid business systems."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is gkeizer@computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags App SecurityAdobe SystemssecurityMalware and Vulnerabilitiesmalware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?