Companies targeted by zero day Adobe Flash vulnerability

[UPDATE]
As mentioned at the end of my original post, I expect Adobe to release Flash and Acrobat updates sometime this week. However, Google Chrome users will get this Flash update early. If you use Chrome, Google and Adobe have already included the Flash fix in the latest Chrome release.

In a recent security advisory and blog post, Adobe warned of a new zero day Flash vulnerability that attackers are leveraging in the wild. The new vulnerability affects Adobe Flash Player, Reader X, and Acrobat X running on all platforms. Adobe doesn’t describe the vulnerability in much detail, other than that it lies within the authplay.dll component of their applications. They do, however, describe how attackers are leveraging the flaw in the wild.

Specifically, Adobe warns that attackers are attaching malcious Excel (.xls) documents to targeted emails. The attacker embeds a specially crafted Flash (.swf) file within the Excel document. If you open the malicious Excel attachment, the embedded .swf file executes, and leverages the zero day flaw to install persistant malware on your system (likely a bot client that gives the attacker a stepping stone to install even more malware).

Unfortunately, Adobe has just learned of this flaw from reports of attackers exploiting it in the wild. They haven’t had time to patch it yet. They plan to release Adobe Flash Player and Acrobat X updates that will fix this issue sometime during the week of March 21. However, they do not intend to release a Reader X update till June, since Reader X’s default sandbox setting should prevent this exploit from working.

In the meantimes, I recommend you warn your users about opening Excel documents attached to strange emails. If you like, you could use the proxies on our XTM appliances to block all Excel attachments. However, most organizations need to allow them for business. I will let you know when Adobes updates their products in Security Alerts posted here. Corey Nachreiner, CISSP

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

Trackbacks/Pingbacks

  1. Adobe Patches Zero Day in Flash Player, Reader, and Acrobat « WatchGuard Security Center - March 22, 2011

    […] on the same Tuesday as Microsoft Patch Day (the second Tuesday of the month). However, a recent zero day Flash exploit circulating in the wild has encouraged Adobe to release a few out-of-cycle patches early. Today, […]

  2. Secure IT Alert: Adobe offers Zero Day Flash exploit patch for Apple Mac OS X, MS Windows, Google Chrome & Android » Homeland Secure IT - Blog-O-Rama - March 23, 2011

    […] on the same Tuesday as Microsoft Patch Day (the second Tuesday of the month). However, a recent zero day Flash exploit circulating in the wild has encouraged Adobe to release a few out-of-cycle patches early. Today, […]

  3. Another Month, Another Zero Day Flash Vulnerability | WatchGuard Security Center - April 13, 2011

    […] It seems like just last month I described this exact same zero day Adobe Flash vulnerability…. oh, wait. That’s because I did! […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: