Cybercriminals are exploiting the vulnerability by embedding corrupted Flash files in Microsoft Word documents sent as email attachments.
When the targets open the genuine-looking Word document, the hidden Flash file “could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe explained.
The vulnerability exists in Flash Player 10.2.153.1 and earlier versions for Microsoft Windows, Mac, Linux and Solaris. Android users browsing the Web on their mobile devices are also at risk.
In his Krebs on Security blog, researcher Brian Krebs said that attackers are using the Flash flaw to launch spear phishing campaigns against U.S. government organizations.
Think you’re too savvy to fall for an attack like this? Krebs pointed out that VirusTotal — a service that scans and detects suspicious files — found that only one out of 42 antivirus products detected the Flash flaw as malicious.
The Flash bug is also present in Adobe Reader, but it is not being exploited because of the program's "sandbox" option — a security feature that isolates flaws and prevents them from spreading.
Adobe said it is working on rolling out a security update to address the issue.
In March, a different vulnerability relating to Adobe Flash videos embedded in Excel files was used to open a "backdoor" into the computer systems of RSA, a major vendor of sophisticated security tokens.