Adobe has issued a warning that a critical vulnerability has been detected in its Flash player.
The vulnerability is exploited via a corrupt Flash file packaged inside a Microsoft Excel file. Apparently the XLS file sets up the system memory to make the attack more effective, and with success it installs persistent malware on the target machine.
The problem also affects Adobe Reader and Acrobat as well as Flash, and patches are planned to be released next Monday for Acrobat and Flash.
However, Adobe isn’t going to push out a fix for Adobe Reader X until the next quarterly security update for the application, which happens to be June 14th.
The reason for the lengthy delay in Reader’s case is down to several factors. The attacks using this exploit are currently “limited” in scope, Adobe claims, and are of course currently using XLS not PDF as a vehicle.
Of course that could change, but Reader X also has a protected mode which is specifically tailored to stop this type of malware, and the application’s sandboxing will apparently prevent the transition of the code onto the victim’s machine.
Adobe concluded (on its software engineering blog) that an out-of-cycle Reader update would “incur unnecessary churn and patch management overhead on our users not justified by the associated risk, in particular for customers with large managed environments.”