Adobe has issued a security advisory (APSA11-01) for the exploit in the wild targeting a 0-day vulnerability in Adobe Flash Player. These attacks involve a malicious Flash .swf file embedded into a Microsoft Excel document and then sent to a victim via email. When the victim opens, Flash is loaded inside the Excel process and the embedded malicious .swf file exploits Flash.
Below, are some details on how you can stay safe from the current attacks:
First, customers using Office 2010 aren’t susceptible to current attacks — they don’t bypass Data Execution Prevention, which’s turned on for the core Office apps. Also, 64 bit Office 2010 have even less exposure to attacks as the shellcode for all the exploits only work on 32 bit process. And, if an Office document originates from a unsafe location such as email or internet, Office 2010 will activate “Protected View” feature, which uses a sandbox that greatly limits the ability of an app to interact with other processes and the system.
Users who want additional protections as well as users of Microsoft Office prior to 2010, can use Enhanced Mitigation Experience Toolkit. Configuring EMET for the Office apps is done through the following steps:
- Launch EMET from the start menu
- Click “Configure Apps” button
- Click “Add” button
- Navigate to where you’ve Office installed and select one of the core office apps. For e.g. this might be C:\Program Files (x86)\Microsoft Office\Office12\excel.exe.
- Select “Open”
- Repeat steps 4 through 5 for the other core office apps
- Select “Ok”
- Restart any of the Office apps currently running
Flash Player can also be hosted in a web browser, so you may wish to turn on EMET for the browser you use. This can be done by adding the browser executable to the list of protected apps per the above steps.
Beyond EMET, Office 2007 users can prevent the Flash Player (as well as other ActiveX controls) from loading inside an Office app, by changing ActiveX setting in the Trusted Center to “Disable all controls without notification” as is shown in the screenshot below:
The ActiveX setting in the Trust Center can also be set via group policy or registry.