Adobe Flash Player is hit by zero-day attacks again

ONLY A MONTH after Adobe revealed its Flash Player was under attack from hackers it's happening again, with the firm forced to issue an advisory that a critical flaw is currently being exploited in the wild.

Instead of an Excel file exploit like last month, hackers are mounting targeted attacks using using Flash (.swf) files embedded in Microsoft Word (.doc) files sent as email attachments. So far these attacks are hitting only Adobe Flash Player version 10.2 and earlier on Windows systems, but Mac, Linux, Solaris and Android versions are also vulnerable. Adobe has given no date for a fix as yet.

There is also a vulnerability in the Windows Authplay.dll component shipping with Adobe Reader and Acrobat X. Fortunately, Adobe hasn't seen PDF attacks trying to take advantage of this flaw so far. This will be fixed on 14 June.

In 2009 Adobe set up a regular quarterly patch cycle for Adobe Reader due to attackers constantly targeting PDF files. It might be time for Adobe to do the same with Adobe Flash Player, although a Microsoft-style monthly patch cycle might be more suitable considering the regularity of zero-day warnings lately.

As Microsoft has found, criminals generally target the software they know they can make the biggest profits from. Flash and Reader are two of the most deployed software applications in the world, which is obviously good for Adobe, but bad in terms of security.

It's also some justification for Apple's anti-Flash stance on its locked-down Ipad and Iphone IOS. Although Adobe has been clear that attacks haven't targeted Android as yet, that mobile operating system's support for Flash could make it a tempting attack vector for cyber criminals in the future. µ