New Adobe Flash zero day in the wild - infects through MS Word documents

Filed Under: Adobe, Adobe Flash, Featured, Malware, Spam, Vulnerability

Word/Flash logoAdobe has issued a security advisory concerning a new zero day flaw (CVE-2011-0611) in Adobe Flash Player 10. As usual this also means that other applications that support Flash content like Adobe Reader and Microsoft Office are also affected.

Brian Krebs wrote a blog post earlier today describing some targeted attacks using a Microsoft Word attachment that had an embedded Flash object used to exploit this flaw.

Mr. Krebs notes that the samples in the wild were largely being used in spear phishing attacks targeting the US Government and related contractors and agencies.

Adobe's advisory notes that Adobe Reader X utilizes a sandbox which prevents this exploit from working in Adobe Reader X on Windows. Windows machines with Flash installed are still vulnerable through their browsers and other applications.

The vulnerability impacts Adobe Flash Player 10 (all Operating Systems) and Adobe Reader 9 and X for Windows and Macintosh. It does not affect Adobe Reader for Android, Unix or Adobe Reader/Acrobat 8.

The only mitigation at this point is to remove Flash entirely and be sure you are using Adobe Reader 8/Adobe Reader X (Windows only).

Adobe mentioned they are working to release a fix for all affected software as soon as possible, with the exception of Adobe Reader X for Windows.

This is the same stance they took with the last Flash vulnerability that was mitigated through the use of Adobe Reader X's sandbox.

Personally I find this approach distasteful, and it was one of the concerns I had when Adobe had announced their sandbox technology. It's great that the sandbox is working against some of these exploits, but it suggests it is ok to consume malicious code because you have "protection".

It would be better to release security fixes with the same priority regardless of the version of the software.

The observed attack currently only targets Windows users, but once a fix is made available by Adobe I recommend everyone update to the latest Flash software.

SophosLabs have published their analysis, including links to our identities in our knowledgebase.

, , , , , ,

You might like

6 Responses to New Adobe Flash zero day in the wild - infects through MS Word documents

  1. Shiv Melm · 1605 days ago

    Probably by making that stance they are making everyone migrate to Reader X so that Adobe doesn't have to face the same problems as Microsoft and it's IE.

  2. Nathan · 1605 days ago

    Does Sophos currently detect and block/quarantine such an attack using their "endpoint security and control" software?

    Given the mitigation strategies are not feasible to implement in most organisations, it is comforting to know that your A/V software detects this type of attack vector anyway.

    • Chester Wisniewski · 1604 days ago

      Yes Nathan, we do detect the samples currently in the wild. I updated the post with a link to SophosLabs vulnerability analysis.

  3. Black A.M · 1605 days ago

    Considering the flaw in v8 is it really wise to be recommending it as a means of mitigation?

    • Chester Wisniewski · 1604 days ago

      Not sure that I would recommend it... It is simply one of the only options that is not vulnerable to this attack.

  4. Richard · 1604 days ago

    Oh, what a surprise.

    "If you press this button, your computer explodes. But we've wrapped your computer in bubble-wrap so that it doesn't cause too much damage to anything else, so we don't need to fix the button."

    Maybe it's time for the "remove all Adobe products" option, but that would also include Google Chrome, which has Flash built-in.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on as Chester, Chester Wisniewski on Google Plus or send him an email at