Hackers are currently using Microsoft Excel files as Trojan horses to exploit a critical security flaw in Adobe Flash Player and infect users’ computers.
An Adobe security advisory explains that the Flash Player flaw leaves the popular media software open to remote attack.
Adobe has received reports of hackers carrying out attacks by embedding corrupted Flash files (labeled .swf) in legitimate Microsoft Excel files (.xls), and then sending the whole package as an e-mail attachment.
“The kind of structure is a perfect setup for targeted attacks,” Roel Schouwenberg, senior antivirus researcher at the security firm Kaspersky Lab, wrote in a company blog.
To stay safe, Schouwenberg wrote that it is important to be “extra cautious when you receive XLS files you didn’t request.”
The attack is what security experts call a “zero day” attack, since the flaw affects all current versions of Adobe Flash Player for the Windows, Mac, Linux, Oracle Solaris and Android operating systems and no patch is available yet.
Adobe’s Reader and Acrobat applications also contain the security flaw, but Adobe has not reported any attacks targeting either program yet.
Adobe said it will issue security updates during the week of March 21 to address the critical vulnerabilities.