In a issued Monday, Adobe said that attackers are exploiting the vulnerability by embedding Flash attack files within a Microsoft Word document sent as an email attachment.
Adobe did not spell out a patch timeline for the newest Flash zero-day.
Four weeks ago, about a different flaw that hackers manipulated via attack code tucked inside Excel spreadsheet attachments.
Later, RSA confirmed that the March vulnerability had been used by cybercriminals to gain a foothold on its corporate network, then related to the company's SecurID two-factor authentication products.
on March 21.
Mila Parkour, the independent security researcher who reported the newest Flash flaw to Adobe, said attackers have inserted a malicious Flash Player file into a Word document named "Disentangling Industrial Policy and Competition Policy," which is then sent to targeted recipients as an attachment.
The email message's subject heading is "Disentangling Industrial Policy and Competition Policy in China," Parkour said in an April 6 blog.
One message that Parkour cited claimed the attached Word document was a copy of the American Bar Association's , hinting that the target recipients may have been the legal departments at corporations or government agencies.
People seeing the email and attachment could be expected to fall for the ruse, since the most recent issue of Antitrust Source does contain an article by the same name. The legitimate article is available on the newsletter's Web site ( ).
Parkour has reported numerous vulnerabilities to Adobe, including one in the company's popular PDF viewer, Adobe Reader.
The Flash vulnerability also exists in Adobe Reader and Acrobat, both of which include code that renders Flash content inserted into PDF files.
"At this time, Adobe is not aware of any attacks via PDF targeting Adobe Reader and Acrobat," Adobe said in the advisory.
Last month, urged Excel users the Enhanced Mitigation Experience Toolkit (EMET) to block those attacks, and said that Excel 2010 was not susceptible to the exploit because of its "Protected View" sandbox.
While those same recommendations may apply today for Word, Microsoft was not immediately able to confirm that to Computerworld.
Currently, only one anti- firm, Commtouch, has issued a signature that tags the rogue Word document as a threat, according to , a free service that analyzes suspicious files.
Flash vulnerabilities are an attractive target to hackers, said Andrew Storms, director of security operations at nCircle Security. When asked if the rash of Flash flaws meant it was time for companies to consider ditching the plug-in, Storms answered, "That's going to be incredibly hard due to the pervasiveness of its use in valid business systems."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at or subscribe to . His e-mail address is .
in Computerworld's Malware and Vulnerabilities Topic Center.