Cybercrooks have found a new way to exploit a recently patched critical Flash vulnerability, which has been used to infect Web surfers with malware since July. The new technique involves malicious SWFs embedded into Microsoft Excel spreadsheets.

During the latter half of July, security researchers warned of a previously undisclosed vulnerability in Adobe Flash Player that was being exploited in the wild through malformed SWF files. In addition to the SWF-based drive-by download attacks, it was confirmed that Adobe Reader and Acrobat were vulnerable as well, because of the ability to embed Flash streams into PDF files.

At the end of July, Adobe released security updates that addressed this vulnerability, identified as CVE-2009-1862, for its Flash Player, AIR, Reader and Acrobat products. Nevertheless, it's well known by the security industry and cybercriminals alike that end users and even many corporate ones don't patch in a timely manner.

In such cases, antivirus solutions are the only method of protection and most of them have added detection for the malicious SWF and PDF files. However, security researchers from antivirus vendor Sophos warn that, in order to counter AV protection, malware distributors have switched to using Excel files, which also support embedded Flash.

"It was only a matter of time before the AVs caught up and started blocking suspicious PDFs and so the game has moved onto finding other compound files capable of embedding and invoking Flash objects. Microsofts OLE2 compound document format is well suited to this scenario and is being actively exploited," they explain.

The sample file looks like an empty spreadsheet when opened in Excel, except it contains two Flash objects hidden in one of the cells. "The two embedded Flash objects are detected as Troj/SWFExp-M and Troj/SWFExp-N and are of the same nature as used in the PDF of recent past," is noted in the Sophos alert.

Peter Szabo, senior virus researcher at SophosLabs Australia, advises that this attack is likely to be adapted to PowerPoint and Word documents too. All users are strongly encouraged to upgrade to the latest version of Flash Player.