A vulnerability that Adobe has confirmed to exist in a number of its Reader, Flash Player and Acrobat products is being exploited through malicious Flash code in Web pages, according to one researcher.
As reported yesterday, the vulnerability is also being exploited via a malicious PDF file attack that can potentially crash Windows, Macintosh and Linux operating systems and according to Adobe, "potentially allow an attacker to take control of the affected system."
However, there is also another way the Adobe Flash vulnerability is being exploited, according to Paul Royal, principal researcher at Purewire, says the Adobe Flash vulnerability is being exploited through Web pages with the Flash exploit embedded in them as multimedia.
Royal described this form of attack as including "a Flash movie of one-frame length. This malicious Flash file is being embedded in Web pages, sometimes of legitimate Web sites that are compromised."Purewire's research indicates this malicious Flash movie file is just different enough from the PDF file exploit that it isn't being detected by many anti-malware software packages yet.
But Royal adds that just since Wednesday more anti-malware vendors have worked to update their software to detect the malicious PDF file exploit, generally sent as an email spam attachment. The malicious PDF file appears to be used mostly in targeted attacks against specific corporations.
In its advisory, which is being updated as needed, Adobe states "A critical vulnerability exists in the current versions of Flash Player (v9.0159.0 and v.10.022.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v.9x for Windows, Macintosh and Unix operating systems. This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system.”
Adobe, which says it is in contact with several anti-virus and security firms concerning the Flash vulnerability, states it intends to provides fixes for most of the affected products by the end of the month.
The underlying vulnerability has been known to exist as a 'bug' since December, but probably first began to be "weaponized" around July 9, says Royal. Flash exploits could have started prior to that, he adds.