Flash attack may as well have been zero-day

Guest Editorial by Dino Dai Zovi

It has almost been a week since the Adobe Flash zero-day attack false alarm.  Since then, a number of people have called Symantec out as being irresponsible for crying wolf and announcing the raising the ThreatCon without fully researching the vulnerability (Full disclosure: Based on that information, I wrote here that the exploit took advantage of a zero-day vulnerability before I had tested it on a patched system — I was more interested in reversing the malware payload at the time).

We must be careful, however, to make sure that the real lesson isn’t lost while we all breathe a collective sigh of relief: the vulnerability may as well have been zero-day.

(more…)

Adobe Flash zero-day exploit in the wild

Malware hunters have spotted a previously unknown — and unpatched — Adobe Flash vulnerability being exploited in the wild.

The zero-day flaw has been added to the Chinese version of the MPack exploit kit and there are signs that the exploits are being injected into third-party sites to redirect targets to malware-laden servers.

Technical details on the vulnerability are not yet available.  Adobe’s product security incident response team is investigating.

This SecurityFocus advisory warns:

Adobe Flash Player is prone to an unspecified remote code-execution vulnerability.

An attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.

Adobe Flash Player 9.0.115.0 and 9.0.124.0 are vulnerable; other versions may also be affected.

I’ve independently verified that redirection scripts have been posted on at least two Chinese-language Web sites to launch drive-by downloads of malware.   When the exploit fires, it checks the Flash version on the vulnerable computer and, depending on the result, it uses a different .SWF (shockwave) file to take complete control of the machine.

This threat should be considered very serious because of the widespread distribution that Adobe Flash enjoys on the Windows ecosystem.  If this exploit gets seeded on high-traffic Web sites, we could be in for a long clean-up operation.

More from the SANS ISC diary.

[ UPDATE: Continued investigation reveals this issue is fairly widespread. Malicious code is being injected into other third-party domains (approximately 20,000 web pages) most likely through SQL-injection attacks. The code then redirects users to sites hosting malicious Flash files exploiting this issue.]

Adobe Flash zero-day exploit in the wild

Adobe Flash drive-by attacks redux

Posted by Ryan Naraine

Adobe has finally issued an almost-definitive statement on the reports of a zero-day attack targeting its flagship Flash Player, suggesting (kinda) that the vulnerability is already patched.

In a progress report posted to the official Adobe PSIRT blog, David Lenoe stops short of making definitive statements on the actual vulnerability, using phrases like “appears to be” and “should not be vulnerable” but it’s clear that Adobe believes these attacks are tied to an issue that was patched with Flash Player 9.0.124.0.

(more…)