Adobe's latest security bulletin warns that a critical vulnerability exists in the new Flash Player 10.2.152.33 and earlier for Windows, Mac, Linux and Solaris platforms. The vulnerability also exists in the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1), and earlier 10.x and 9.x versions of Reader and Acrobat for Windows and Macintosh operating systems.
And for those Android users who just couldn't wait for the arrival of Froyo and its built-in support for Flash (cough), the vulnerability also exists in Flash 10.1.106.16 and earlier for the Android platform. Welcome to the Flash club.
According to Adobe, the "CVE-2011-0609" vulnerability could cause a crash and potentially allow an attacker to take control of the affected system/device. So far, Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by the current issue.
"There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment. At this time, Adobe is not aware of attacks targeting Adobe Reader and Acrobat," the company said. "Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing."
Kaspersky Lab security researcher Roel Schouwenberg said in a blog post that the target must open a malicious XLS file for a vulnerability in Flash to be exploited. "This kind of structure is a perfect setup for targeted attacks," he said. "During testing, the particular exploit was not able to run successfully on Windows 7. It did work on Windows XP. It's likely though a ROP-exploit would be able to exploit this vulnerability under Windows 7."
Although Adobe didn't get into specifics, the company said an update for Flash Player 10.x and earlier will head to Windows, Macintosh, Linux, Solaris and Android during the week of March 21, 2011. An update for Adobe Acrobat X (10.0.1) and earlier, 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.1) for Macintosh, and Adobe Reader 9.4.2 and earlier 9.x versions will be made available that same week.
"Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011," Adobe said.
Owners of the new Motorola XOOM tablet-- which just received Flash Player support-- may want to delay installing Flash until Adobe releases a fix. Then again, all users are warned not to open XLS email attachments that were not requested.