(LiveHacking.Com) – Adobe has released a patch to fix a zero-day vulnerability in Flash Player that is being exploited in the wild. According to the security advisory the bug is being exploited in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message. The exploit targets Flash Player on Internet Explorer for Windows only. As a remedy Adobe has released a security update for Windows, Macintosh, Linux and Android.
Details of the exact nature of the vulnerability are not available however it is clear that unpatched versions of Adobe Flash Player allow a remote attacker to execute arbitrary code via a crafted file, related to what is being called an “object confusion vulnerability.”
According to Symantec, the email attachment contains a document with ”an embedded reference to a malicious Flash file hosted on a remote server. When the Flash file is acquired and opened, it sprays the heap with shellcode and triggers the CVE-2012-0779 exploit. Once the shellcode gains control, it looks for the payload in the original document, decrypts it, drops it to disk, and executes it.” Symantec says that the malware payload is Trojan.Pasam.
The vulnerability affects the following versions:
- Adobe Flash Player 18.104.22.168 and earlier versions for Windows, Macintosh, and Linux operating systems
- Adobe Flash Player 22.214.171.124 and earlier versions for Android 4.x
- Adobe Flash Player 126.96.36.199 and earlier versions for Android 3.x and 2.x
Windows users are advised to upgrade as soon as possible as the exploit is targeting that platform.