Adobe warns of zero-day vulnerability in Adobe Flash

Adobe has published a security advisory for a critical vulnerability in Adobe Flash that can be used to take control of an attacked machine.

Adobe has published a security advisory for a critical vulnerability in Adobe Flash that can be used to take control of an attacked machine.

Adobe Flash is embedded in Adobe Acrobat and Reader, so both of these software packages are also vulnerable to the attack.

Adobe says the company is aware of exploits for the vulnerability being used in the wild, with a known attack being made through a Flash file embedded in an Excel spreadsheet.

But Adobe says it is not aware of attacks targeting Adobe Reader and Acrobat.

Adobe will release a fix for the Windows, Mac OS X and Linux/Unix operating systems during the week beginning 21 March.

Brad Arkin, senior director, product security and privacy at Adobe, says the decision to ship an out-of-band update for Reader and Acrobat V9 and Acrobat X is based on past experience.

He said although Adobe has not received any reports of attacks through .pdf files, attackers have used this channel to exploit Flash Player vulnerabilities.

Wolfgang Kandek, chief technology officer at security firm Qualys says users of Adobe Reader X are not vulnerable to the exploit because the sandboxing technology included in Reader X prevents the code from executing.

"We recommend installing or updating your installations of Adobe Reader to this newest version, as this occurrence highlights the increased robustness gained from the sandboxing," he says.

Adobe says that because Adobe Reader X Protected Mode will prevent an exploit of this kind from executing, the company plans to fix the vulnerability in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader on 14 June.

"Given the mitigation provided by the Adobe Reader X sandbox and the absence of attacks via PDF, we determined that an out-of-cycle update would incur unnecessary churn and patch management overhead on our users not justified by the associated risk, in particular for customers with large managed environments," says Arkin.

Read more on Hackers and cybercrime prevention