Adobe has warned that a new critical, zero-day flaw in Flash is being used by attackers.
It affected Flash and a related component in Reader and Acrobat - but a sandboxed version of Reader was safe.
The flaw was being used to target companies, Adobe said.
"Reports that we’ve received thus far indicate the attack is targeted at a very small number of organisations and limited in scope," said Brad Arkin, senior director of security, in a post on the Adobe blog.
"The current attack leverages a malicious Flash (.swf) file inside a Microsoft Excel (.xls) file," Arkin said. "The .xls file is used to set up machine memory to take advantage of a crash triggered by the corrupted .swf file. The final step of the attack is to install persistent malware on the victim’s machine."
Adobe will issue an emergency patch for all of its products on 21 March, except its sandboxed Reader X. That version will be updated as part of Adobe's quarterly patching cycle, as the added security from sandboxing will keep users safe, Adobe said.
"We considered providing an out-of-cycle update for Adobe Reader X as well, which would have delayed the current patch release schedule by about another week," Arkin said.
"However, given the mitigation provided by the Adobe Reader X sandbox and the absence of attacks via PDF, we determined that an out-of-cycle update would incur unnecessary churn and patch management overhead on our users not justified by the associated risk, in particular for customers with large managed environments," he added.
So far, the attacks aren't targeting PDFs, but Arkin said if that happens, Adobe would consider releasing a patch for Reader X sooner than June.