Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Adobe has warned that a new critical, zero-day flaw in Flash is being used by attackers.
It affected Flash and a related component in Reader and Acrobat - but a sandboxed version of Reader was safe.
The flaw was being used to target companies, Adobe said.
"Reports that we’ve received thus far indicate the attack is targeted at a very small number of organisations and limited in scope," said Brad Arkin, senior director of security, in a post on the Adobe blog.
"The current attack leverages a malicious Flash (.swf) file inside a Microsoft Excel (.xls) file," Arkin said. "The .xls file is used to set up machine memory to take advantage of a crash triggered by the corrupted .swf file. The final step of the attack is to install persistent malware on the victim’s machine."
Adobe will issue an emergency patch for all of its products on 21 March, except its sandboxed Reader X. That version will be updated as part of Adobe's quarterly patching cycle, as the added security from sandboxing will keep users safe, Adobe said.
"We considered providing an out-of-cycle update for Adobe Reader X as well, which would have delayed the current patch release schedule by about another week," Arkin said.
"However, given the mitigation provided by the Adobe Reader X sandbox and the absence of attacks via PDF, we determined that an out-of-cycle update would incur unnecessary churn and patch management overhead on our users not justified by the associated risk, in particular for customers with large managed environments," he added.
So far, the attacks aren't targeting PDFs, but Arkin said if that happens, Adobe would consider releasing a patch for Reader X sooner than June.
This article originally appeared at pcpro.co.uk
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.