14 DAY TRIAL // Adobe warns that Flash Player is affected by a new 0-day critical vulnerability that is being actively exploited in the wild to compromise computers.
The flaw affects Flash Player 10.2.153.1 and earlier for Windows, Mac, Linux and Solaris, as well as Flash Player 10.2.156.12 and earlier for Android.
The authplay.dll Flash component that provides SWF playback support in Adobe Reader and Acrobat is also affected.
The vulnerability is being exploited in the wild via targeted email attacks that distribute Word documents rigged with maliciously crafted SWF content.
The attack method is very similar to the one used to last month to exploit a different zero-day Flash Player vulnerability. The difference is those attacks used rogue Excel spreadsheets instead of Word documents.
Furthermore, there is reason to believe they were instrumented by sophisticated attackers with a clearly defined goal because the emails targeted employees at RSA Security.
The exploit's payload was used to steal information about SecurID, a two-factor authentication solution used by thousands of corporations and government agencies around the world.
Adobe is working to deliver updates for Flash Player, Adobe Reader and Acrobat as soon as possible. One exception is Adobe Reader X (10.0.2) for Windows which is protected from this type of exploits by its new sandboxing technology.
The Flash Player plug-in included by default in Google Chrome, currently at version 10.2.154.25, is also affected and will be patched, probably even quicker than the stand-alone versions.
The Flash plug-in in Chrome 10 should also be protected from exploits because it runs under the browser's native sandbox that has code execution protection, although Adobe has not confirmed this.
Meanwhile, users are strongly advised to keep their antivirus programs up to date as the company is working with security vendors to make the exploit signatures widely available.