Adobe has confirmed that attackers are exploiting an unpatched bug in Flash Player using Microsoft Excel documents.
The company will patch Flash next week and will also update Adobe Reader, which includes code that renders Flash content inserted in PDF files.
"They have exploits out in the wild, so they're moving pretty quickly," said Wolfgang Kandek, chief technology officer at Qualys. "That's commendable."
According to a security advisory, attackers are exploiting the vulnerability by embedding malicious Flash files within a Microsoft Excel document sent as an email attachment.
Adobe said it wasn't aware of any attacks directed at Reader or Acrobat, the popular PDF viewer and commercial PDF creator, respectively.
"This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system," Adobe acknowledged in its advisory.
Brad Arkin, the company's director of product security and privacy, offered up more information in a blog. "Reports...thus far indicate the attack is targeted at a very small number of organisations and limited in scope," said Arkin.
After exploiting the Flash vulnerability, hackers are infecting systems with additional malware.
The Excel file is simply the delivery mechanism for the malicious Flash code that's exploiting the vulnerability, an Adobe spokeswoman confirmed.
"Hackers use whatever mechanism makes sense, and Excel files are generally trusted documents," said Kandek. "So [the Excel document] is just part of the social engineering element here."
Adobe will patch Flash, Reader and Acrobat next week - the company did not specify which day, but it often releases security fixes on Tuesday - but will not update Reader X, the newest version of the viewer that includes an anti-exploit 'sandbox' designed to stymie most attacks.
Reader X's sandbox blocks the current attacks, Arkin said, and would also prevent malware from being installed if hackers switch to delivering the exploit in malicious PDFs, a frequently-used tactic with Flash exploits.
Adobe decided not to update Reader X next week because building a fix would delay the release of the Flash, Reader and Acrobat updates by a week.
"Given the mitigation provided by the Adobe Reader X sandbox and the absence of attacks via PDF, we determined that an out-of-cycle update would incur unnecessary churn and patch management overhead on our users not justified by the associated risk," said Arkin.
Reader X will get a patch at the next regularly-scheduled update on June 14, Arkin added.
Users should take use the opportunity to update to Reader X, urged Kandek. "This is good example of how sandboxing provides additional hardening," he said. "At [Pwn2Own] last week, no one attempted to exploit [Google's] Chrome , for example. I think that had to do with the additional sandboxing in Chrome."
Reader X can be downloaded from Adobe's site; only the Windows version includes the sandbox technology, however.
Adobe last patched Flash and Reader February 8 when it shipped fixes for 42 flaws in the two programs.