Adobe announced in a security advisory Monday that a new zero-day vulnerability in Adobe Flash was actively being exploited with credit and more details going to Mila Parkour. News of the vulnerability was broken by Brian Krebs of Krebs on Security who reported:
According to sources, the attacks exploit a vulnerability in fully-patched versions of Flash, and are being leveraged in targeted spear-phishing campaigns launched against select organizations and individuals that work with or for the U.S. government. Sources say the attacks so far have embedded the Flash exploit inside of Microsoft Word files made to look like important government documents.
Later that day, Adobe confirmed the report and released its security advisory which adds further details:
This vulnerability (CVE-2011-0611) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a malicious Web page or a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment, targeting the Windows platform. At this time, Adobe is not aware of any attacks via PDF targeting Adobe Reader and Acrobat. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.
At the end of the week, Adobe has patched Adobe Flash and promises a patch for Adobe Acrobat and earlier versions of Adobe Reader the week of April 25th. This afternoon, the security bulletin to accompany today’s latest version of Adobe Flash was posted:
These updates resolves a memory corruption vulnerability that could lead to code execution (CVE-2011-0611).
Adobe recommends users of Adobe Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier versions for Chrome users) for Windows, Macintosh, Linux, and Solaris update to Adobe Flash Player 10.2.159.1 (Adobe Flash Player 10.2.154.27 for Chrome users). Adobe recommends users of Adobe AIR 2.6.19120 and earlier versions for Windows, Macintosh and Linux update to Adobe AIR 2.6.19140. Adobe expects to make available an update for Adobe Flash Player 10.2.156.12 and earlier versions for Android no later than the week of April 25, 2011.
A month ago, Adobe patched another critical vulnerability in Flash and similarly left Adobe Reader X unaddressed because the “Protected Mode” sandboxing was preventing the attack.
Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.
You can download the latest Adobe Flash setup executables directly without Adobe DLM from the links on this previous article Download the Latest Adobe Flash for Firefox and IE Without Any Extras.
Happy patching!