Adobe on Friday patched a critical vulnerability in Flash Player that the company said criminals were already exploiting with malicious Microsoft Word and Excel documents.
On Monday, Adobe acknowledged the bug, said exploits were circulating, and promised to fix the flaw with an emergency update.
Friday’s update was Adobe’s second rush patch in less than four weeks.
The new version, Flash Player 10.2.159.1, is available for Windows, Mac, Linux and Solaris.
Missing from that list is Android, the Google mobile operating system that also runs Flash. A fix for the same flaw will be issued to Android users no later than the week of April 25, said Adobe.
Adobe will patch the popular PDF viewer Adobe Reader that same week. The Flash vulnerability also exists in Reader and the more advanced Acrobat because both include code that renders Flash content embedded in PDF files.
Although initial attacks were launched using malicious Word attachments, hackers later expanded the campaign to include malformed Excel files, according to Mila Parkour, the independent security researcher who reported the Flash flaw to Adobe.
Parkour, who has been tracking the attacks for more than a week, has published information about them on her Contagio Malware Dump blog.
Some of the earliest messages in the attack tried to get recipients to open the attached Word or Excel files by claiming they offered information on China’s antitrust laws, or a purported Japanese nuclear weapons program. Later messages were more mundane, and posed as corporate reorganization plans or new company contact lists.
Parkour also traced the resulting malware’s “phone-home” communications to a server registered in China, and noted that some of the malicious Word and Excel documents had been originally crafted in Chinese.
Google updated its Chrome browser—which includes a copy of Flash Player—Thursday, fixing not only the Adobe bug but a trio of critical vulnerabilities in the browser’s hardware acceleration technology. Like Internet Explorer and Firefox, Chrome taps the computer’s graphics processor (GPU) to handle some page composition and rendering tasks.
Google usually tags as “critical” only those bugs that attackers could use to escape the browser’s “sandbox,” an anti-exploit technology designed to prevent malicious code from escaping the browser.
Users running other browsers can download the patched version of Flash Player from Adobe’s site .