Adobe warns of zero-day flaw in Flash

Adobe has warned of a critical zero-day flaw that is found in most versions of its Flash player and which may also affect Reader and Acrobat.

The flaw is being exploited in the wild, the company said, and a patch will be issued as soon as possible, but is unlikely to come before next week.

"A critical vulnerability exists in Adobe Flash Player 10.2.152.33 and earlier versions (Adobe Flash Player 10.2.154.13 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris operating systems, Adobe Flash Player 101.106.16 and earlier versions for Android, and the authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems," warned Adobe.

"There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment. At this time, Adobe is not aware of attacks targeting Adobe Reader and Acrobat."

Reader X for Windows will not be included in the new patch, because the sandboxing technology it currently uses will mitigate the attack. Testing the patch to include the latest version of Reader would set the release back another week, Adobe said.

So far the attacks seen have been few and far between, Adobe said, with only a few organisations affected. It was working with Microsoft Active Protections Partners (MAPP) to deal with the issue.