An Adobe security
advisory warns of a new critical vulnerability in Flash Player 10.2.153.1 for Windows, Macintosh, Linux and Solaris, Flash Player 10.2.156.12 for Android and the Authplay.dll component in Adobe Reader and Acrobat X 10.0.2 and all earlier versions.
There are reports someone is exploiting the vulnerability by using crafted .swf files embedded in Microsoft Word .doc files via an email attachment. The vulnerability can, when exploited appropriately, allow an attacker to take control of a system.
The Krebs on Security blog reported the vulnerability was a part of a targeted spear-phishing campaign disguised as important government documents and launched against organizations or individuals who work for the U.S. government. Another example of the attack shows an email with a title of “Disentangling Industrial Policy and Competition Policy In China” with a supposed copy of an article on that subject attached.
Adobe says it is unaware of any attacks targeting Adobe Reader and Acrobat and say Reader X’s protected mode would have mitigated against exploitation of the vulnerability. There is no date for when Adobe plans to release updates to close the hole; the company says it is still “finalizing a schedule” to deliver any updates. It did say the company will update Adobe Reader X on its next scheduled Patch Tuesday on June 14, because of the mitigation offered by its protected mode.
Last month, Adobe patched a similar zero-day vulnerability; in this case a crafted .swf file embedded in an Excel file was exploiting the program. Google’s auto-updates to Chrome allowed them to close that hole days before Adobe release its patch.