Adobe has warned of a critical vulnerability
in Adobe Flash Player that affects a vast majority of users. The flaw (CVE-2011-0609) has been exploited in the wild and allows an attacker to gain control of a machine by embedding a malicious Flash SWF file in a Microsoft Excel XLS file. Adobe reports that the XLS file is being distributed via email, so you should be fine as long as you don't open any suspicious documents.
Affected software includes Flash Player 10.2.152.33 (10.2.154.18 for Chrome) and earlier on Windows, Mac, Linux and Solaris. Flash 101.106.16 and earlier versions for Android are also affected, as is the authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier for Windows and Mac. According to a blog post by Kaspersky Lab's Roel Schouwenberg
, the exploit doesn't seem to work on Windows 7.
Adobe plans to remedy the situation by releasing a patch next Monday. That update will fix all of the above-mentioned software, except Adobe Reader X. The program has a "protected mode" that would prevent an exploit of this nature from working, so there's no immediate threat to users. Adobe Reader X will be fixed during the next quarterly security update for Adobe Reader, which is currently scheduled for June 14, 2011.
News of the latest Flash vulnerability comes as the software faces ongoing criticism
. Speaking to Fast Company
, Mozilla exec Jay Sullivan promoted the use of HTML5 and referred to Flash as a "plug-in prison." Sullivan said Flash crashes Firefox more than any other plug-in, noting that the browser's crash protection feature
was designed with Flash in mind. "HTML5 is the longer-term answer," Sullivan says. "We're on that path now."