Adobe Flash zero-day exploit in the wild *Updated*

Malware hunters have spotted a previously unknown — and unpatched — Adobe Flash vulnerability being exploited in the wild.

http://blogs.zdnet.com/security/?p=1189&tag=nl.e589

Be careful out there

Does avast protects against this one? ???

A very good question Tech, Let’s hope someone from Alwil can answer it.

More reports:

http://tailrank.com/6068446/Adobe-Flash-Player-SWF-File-Unspecified-Remote-Code-Execution-Vulnerability

http://ddanchev.blogspot.com/2008/05/malware-attack-exploiting-flash-zero.html

http://isc.sans.org/diary.html?storyid=4465

http://news.cnet.com/8301-10789_3-9952547-57.html

Added the detection to the internal test version, should be out today.

Thanks kubecj.

Hi malware fighters,

Here a list of sites to block:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080527

polonus

Thanks for the info polonus.


Thanks for the link, Polonus. :slight_smile:


Update, it looks like the 9.0.124.0 plug-in version of flash player is immune to this attack. Make sure yours is up to date.

http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=spam__malware_and_vulnerabilities&articleId=9090218&taxonomyId=85

Hi marc57,

Thanks for the heads up. I already have this latest version, and other are advised to do so without delay at: http://www.adobe.com/products/flashplayer/

Still 40% of all Windows users did not update, according to numbers from Online Software Inspector and Personal Software Inspector links: https://psi.secunia.com/ and http://secunia.com/software_inspector/
36% of PSI users did not update to the latest 9.0.124.0 version. If these are the numbers for security aware people, the numbers for unprotected and vulnerable common users must be many times higher.
However the users of Firefox with NoScript blocking must be considered as also secure,

polonus

Security sites are warning of increased dangers of malformed Shockwave Flash (SWF) objects. I’ve read reports of possibly 250,000 web pages hosting this new exploit. It is important to move to the latest version of Flash if prompted or manually update if you are not on version 9.0.124.

Adobe test site which will show latest version (should be 9.0.124)
http://kb.adobe.com/selfservice/viewConten...rnalId=tn_15507

How to manually update if needed (be sure to uncheck Google Toolbar)
http://www.adobe.com/products/flashplayer/

AVERT reports that recent sites affected by mass hacking attacks are being redirected to load malicious SWF files. These exploits are being programmed for specific versions of Flash to broaden the scope of attacks. Finally, please see last AVERT link (05/28), as they are researching a new variant that might possibly exploit Flash where it is fully up-to-date (e.g., 9.0.124).

Adobe Flash Player Flaw - Massive Exploitation reported
http://www.frsirt.com/english/

QUOTE: Adobe Flash Player Flaw Massive Exploitation – The Adobe Flash Player vulnerability which was disclosed this week by Symantec and believed to be unknown (zero-day) is a previously known issue that was patched with version 9.0.124.0. Multiple compromised web pages are currently exploiting this flaw and distributing malware.

ADDITIONAL LINKS
http://www.frsirt.com/english/advisories/2008/1158
http://isc.sans.org/diary.html?storyid=4474
http://secunia.com/advisories/30404/
http://www.securityfocus.com/bid/29386
http://www.avertlabs.com/research/blog/ind...exploit-update/

QUOTE: Here’s a quick update to the earlier post on a new unpatched Adobe Flash vulnerability. Through looking for sites serving these SWF exploits we’ve found a connection with recent mass hacks. Hacked sites reference an external script, just as they have for quite some time. But, the external scripts now reference an SWF file.

New variants emerging - AVERT researching claims that currently patched systems may be vulnerable?
http://www.avertlabs.com/research/blog/ind...ploit-update-2/

Dan, when you are posting links many don’t work.
e.g. all the ones with … in the URL.

This is because where you are copying them from whatever source, they shorten the displayed URL using the … in the displayed link, the underlying URL of the link you copy from should have the full path.

Hi DavidR,

The most interesting link: http://www.avertlabs.com/research/blog/index.php/2008/05/28/flash-player-exploit-update-2/

pol

Our detection in the last VPS should be very, very generic (I’m myself a bit afraid that it may sometimes FP on broken flash files), so avast users should be protected.

I’m not sure I understand the NoScript remark? The vulnerability is in Flash, the javascript around is just to hide the fact.

NoScript also has Flash blocking so it should block good or bad, so I assume it is that is what the NoScript remark is about.

Hi kubecj,

NoScript blocks Adobe Flash on a page by default, you can pre-scan the swf link and then temporarily allow.Other options are implement a killbit for the following CLSID: d27cdb6e-ae6d-11cf-96b8-444553540000. Another option is the use of frees AxBan to do this automatically and this also blocks malicious ActiveX controls: http://portal.erratasec.com/axb/AxBan.exe

polonus

Well worth a read ::slight_smile:
Adobe Flash Player Flaw - Massive Exploitation
“Security sites are warning of increased dangers of malformed Shockwave Flash (SWF) objects. Possibly 250,000 web pages hosting this new exploit. It is important to move to the latest version of Flash if prompted or manually update if you are not on version 9.0.124.”

I picked Flash Player 10 beta plugin from the official site, which is supposed not to have this vulnerability and extracted NPSWF32.dll to \Data\plugins folder of Firefox Portable. The plug-in works fine with the unofficial Firefox RC2 build(2008052906) on most sites I visited, with some exceptions including some major sites such as CNN.

Well test it in your browser from this page, and see that NoScript protects you:
http://www.jumperz.net/index.php?i=2&a=1&b=8

In short, anti-dns pinning and dns-rebinding attacks can be used to make your browser think it can send information X to site B, since site B belongs to same site as site A (which is some good site). This can be exploited simply over the browser window using javascript, java or flash. Using this kind of attack, the owner of any www-page can get access to your internal network, such as router, external firewall, other computers in your LAN, etc. etc. because your computer is being told that site B is located on the same domain/IP that the site A is (and your computer thinks it safe to send such information there therefore).

Now, browsers have been protected against this kind of attacks for some time now. However, javascript, java and flash arent. They are still vulnerable.

This sound pretty damm serious if you have anything inside your own LAN that is not firewalled or if you dont have good passphrases on your router/modem!!!

More information in here

Tests

P.S. From the implication you will get this online javascript port scanner:
http://www.gnucitizen.org/projects/javascript-port-scanner/

enjoy,

D