Adobe kicked off the week with a security advisory warning users of its Flash Player about a zero-day bug that is reportedly “being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment.” The vulnerability has also been confirmed to affect the auth.dll component that accompanies certain versions of Reader and Acrobat X, but the company has yet to come across any exploits targeting them.
This is what the security bulletin says about a patch: “We are in the process of finalizing a fix for the issue and expect to make available an update for Flash Player 10.x and earlier versions for Windows, Macintosh, Linux, Solaris and Android, and an update for Adobe Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.1) for Macintosh, and Adobe Reader 9.4.2 and earlier 9.x versions during the week of March 21, 2011.”
However, a patch for Reader X for Windows will not be rolled out anytime before the next quarterly security update for the software that is scheduled for June 14, 2011. Until then, Reader X for Windows users can count on the software’s Protected Mode to earn its name by shielding them from any exploit code targeting this bug.
According to Roel Schouwenberg, senior malware researcher at Kaspersky Lab, the malicious-SWF-in-Excel exploit that is currently being used to target this zero-day bug seems to be ineffective on Windows 7.
“The reason why the attackers are using Excel as a delivery vehicle is simple,” he wrote in a blog post. “This way the attack can easily be delivered through email. So be extra cautious when you receive XLS files you didn't request.”
“Call me old-fashioned, but I don't really see the point of embedded SWFs inside Excel documents. From my point of view, this is a clear example of too much functionality in a product leading to security problems.”