When Adobe released Acrobat 9 last year, the company introduced support for embedding Flash media in PDF files. This feature is now being used by attackers who are exploiting a new vulnerability in Adobe's Flash media plugin. The vulnerability allows remote code execution, making it a potential vector for malware deployment.

Adobe's security response team issued a statement on Wednesday, confirming the existence of a critical Flash vulnerability that is actively being exploited in the wild. The attacks are currently targeted against Acrobat Reader on the Windows platform. Adobe is working to address the problem and says that a fix will be ready by July 30.

As a temporary measure to eliminate the security risk, Adobe recommends disabling Flash support in Acrobat Reader by renaming or deleting the "authplay.dll" file. Doing so will cause Acrobat Reader to abort when it attempts to reads a Flash-enabled PDF.

The US Computer Emergency Readiness Team (US-CERT) has published a cybersecurity alert about the vulnerability and warns that it could potentially be exploited by malicious web sites in addition to PDFs. US-CERT echoes Adobe's recommendation to disable Flash in Acrobat, but also suggests disabling it in browsers too.

Security vendors McAfee and Symantec have both commented on the issue and provided some technical insight. According to Symantec, one known exploit of this vulnerability, which they have designated Trojan.Pidief.G, uses a heap spraying technique.

"Recently we came into possession of an Adobe Acrobat PDF file that upon opening drops and executes a malicious binary. It was quite clear that this PDF was exploiting some vulnerability in order to drop its payload," wrote Symantec researcher Patrick Fitzgerald in a blog entry. "During the analysis it soon became apparent that this vulnerability was not one we had seen in the wild before. What was even more surprising was that this vulnerability affects Adobe Flash--not Adobe Reader as we initially suspected."

Both security companies point out that Flash vulnerabilities are particularly tempting targets for attackers because of its ubiquitous platform support. It's worth noting, however, that the known exploits are currently platform-specific and only target Windows.

Listing image by Steve Jurvetson