Must Read: Samsung Galaxy S4 review

Topic: Enterprise Software

Adobe Flash zero-day exploit in the wild

Summary: [ See important update to this story here ]Malware hunters have spotted a previously unknown -- and unpatched -- Adobe Flash vulnerability being exploited in the wild.The zero-day flaw has been added to the Chinese version of the MPack exploit kit and there are signs that the exploits are being injected into third-party sites to redirect targets to malware-laden servers.

Ryan Naraine

By for Zero Day |

Adobe Flash zero-day exploit in the wild[ See important update to this story here ]

Malware hunters have spotted a previously unknown -- and unpatched -- Adobe Flash vulnerability being exploited in the wild.

The zero-day flaw has been added to the Chinese version of the MPack exploit kit and there are signs that the exploits are being injected into third-party sites to redirect targets to malware-laden servers.

Technical details on the vulnerability are not yet available.  Adobe's product security incident response team is investigating.

This SecurityFocus advisory warns:

Adobe Flash Player is prone to an unspecified remote code-execution vulnerability.

An attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.

Adobe Flash Player 9.0.115.0 and 9.0.124.0 are vulnerable; other versions may also be affected.

I've independently verified that redirection scripts have been posted on at least two Chinese-language Web sites to launch drive-by downloads of malware.   When the exploit fires, it checks the Flash version on the vulnerable computer and, depending on the result, it uses a different .SWF (shockwave) file to take complete control of the machine.

This threat should be considered very serious because of the widespread distribution that Adobe Flash enjoys on the Windows ecosystem.  If this exploit gets seeded on high-traffic Web sites, we could be in for a long clean-up operation.

More from the SANS ISC diary.

[ UPDATE: Continued investigation reveals this issue is fairly widespread. Malicious code is being injected into other third-party domains (approximately 20,000 web pages) most likely through SQL-injection attacks. The code then redirects users to sites hosting malicious Flash files exploiting this issue.]

Topics: Enterprise Software, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

53 comments
Log in or register to join the discussion

  • Clarification

    [i]An attacker may exploit this issue to execute arbitrary code in the context of the affected application.[/i]

    IE7 running in Protected Mode (the default in Vista) runs with fewer privileges than the current user. Would the exploit run in this context? If so, this malware was castrated before it even left the stall.

    [i]Failed exploit attempts will likely result in denial-of-service conditions.[/i]

    Please, oh please tell me this doesn't mean that your browser will crash. If so, why on earth do people insist on calling a denial of service? Your browser crashes, you open it again, and you don't go back to that site, case closed. Calling it a denial-of-service simply makes it sound like FUD.
    NonZealot
    Reply Vote

    • Clarification to the Clarifier

      So first off, taking control of a non-privileged user is still a huge deal. I'm sick and tired of people acting like it's not, it just shows how little they understand. Once I take over a regular ass user, what's to stop me from attacking your internal network? Not every user out there is a home user, a ton are bank employees, government officials, etc. Taking over user privilege on a machine interior to a serious network is a huge, huge issue.

      Denial of Service is still an accurate term for a browser crash, even if it is blowing things a bit out of proportion. Trust me, every time I'm doing a blog posting and Safari crashes, I get uber pissed.

      -Nate
      nmcfeters
      Reply Vote

      • PM is a sandbox not a LUA

        Protected Mode IE is a "sandbox" not just a user running with less priviledges. It's very hard, although theoretically possible, to "take over a regular user" running PM IE. This is why users running FireFox were affected by the ANI/Cursor bug while IE7PM users were not.
        Donald75
        Reply Vote

        • Sorry spoke to fast

          Hair trigger reaction to talking about LUA. Neglected to read he was talking about protected mode, but there is ways to get around this... i.e., there are ways to force IE to run in a different protected mode... or for example, there's other applications that could potentially render flash that run in eleveated permission sets.

          -Nate
          nmcfeters
          Reply Vote

        • Pwned browser still bad idea.

          If someone pwns your browser this is still extremly bad thing.
          1) Hacker still can use YOU to perform unwanted activity like hacking.
          2) Hacker still can send spam via your machine.
          3) Hacker may turn you to some sort of proxy.
          All this does not really requires any elevated rights.Fact that malicious code started is really enough for hacker to achieve all these goals.

          And finally since these actions are appear to happen from YOUR machine under YOUR control at first it will be YOU who is held responsible for all this.Then you may even succeed in redirecting punishment to a right place.Or you may not, so you'll be held responsible for things you're never did.But in any case you may once have a decent amount of headache anyway due to hackers activity from your PC.
          kindauniquebastard2
          Reply Vote

      • agreed -

        I have no idea where this "it's OK to gain illegitimate access to a normal user's account" rubbish came from. UNIX has been designed to help protect users against unauthorized access from other users, but that doesn't mean it's OK to remotely hijack a user. Once someone has user access, the next step is to attempt to escalate privileges and eventually have superuser access. I guess WinDuhs users have been so used to being screwed over by malware that they think the meager and annoying 'security features' of VisDuh (or any WinDuhs version) are something wonderful.

        As for the Flash plugin crashing - I guess the Adobe people see "play a Flash file/stream" as a service, so they call this a 'denial of service'. The claim is not technically correct in the common usage of the term unless the plugin is invoked via 'sockets'.
        zoroaster
        Reply Vote

      • Here's a clarification that's needed.

        WTF is "zero-day" supposed to mean?
        dgurney
        Reply Vote

      • Stop being an idiot and do some research

        @dgurney
        you sir are a complete idiot who refuses to do any research before claiming you know all possible tech phrases, and that everybody in the world made-up "zero day". you obviously have zero knowledge about computing and you flame every article with the phrase in it..... just go away ( search "dgurney exploit" and you will see he has posted the same thing, every article)
        WHATaJABRONI
        Reply Vote

  • The perfect storm

    One of the more ultimate in terms of pwnage. An 0-day in flash is huge... multi-platform, on probably 90+% of the computers out there... internet exploitable.

    -Nate
    nmcfeters
    Reply Vote

    • ....

      I dunno... many of the Linux users out there use Ad Block, Flash Block and No Script... that would pretty much kill it dead... that is until they ran it I suppose but even then, I don't know of any infections out there for Linux desktop systems and I have been looking since I am and have been a Linux desktop user for 9 years now. ]:)
      Linux User 147560
      Reply Vote

      • AdBlock and NoScript on Ubuntu

        I haven't seen a redirect work yet, unless I temporarily allow the site to execute scripts. What's really nice about the new version of NoScript is it spits out the redirect URL's so you can take a look at them.

        Still, I wish the threat advisories were more OS specific. Theoretically a remote threat could get control of user space through a third party app like Flash. Not sure what good that does them. You can't install anything with user privileges on Ubuntu. Can't access system files, config files...nothing.
        Chad_z
        Reply Vote

        • And Vista as well

          I agree with your statement but in addition to what you said analysis of te effectivies of an OS built-in security features needs to happen.
          Heatlesssun1
          Reply Vote

        • Properly configured Ubuntu

          On a properly configured 'nix system, a regular user shouldn't be able to modify system settings, but what about those people who might be to lazy to enter their passwords all the time and modifed sudo to do some things without a password (dumb, but possible - mount comes to mind as a command I wish would stop butgging me for password 8)).
          chromeronin
          Reply Vote

          • C'mon, that's not just lazy

            If you want to issue root commands without entering a password every time, keep a damn root terminal up.
            jthill
            Reply Vote

  • RE: Adobe Flash zero-day exploit in the wild

    And this is why Adobe flash is about to loose its spot on my computers. This is NOT the first time that Flash has been a gaping security hole (kinda like Apple's Quicktime - which i removed without too much grief)..if web designers didnt integrate flash in every aspect of their sites, it would be much easier to break the addiction.

    I wonder if SilverLight is affected by this?
    JT82
    Reply Vote

    • Leaving Adobe Flash?

      Then try Gnash.
      daengbo
      Reply Vote

  • So do UAC and DEP protect the user

    It never ceases to amazeme that when announcments like this are made, little mention of the effectiveness of security layers that designed to mitigate this type of flaws.

    So, any word on if UAC and DEP protect against this flaw?
    Heatlesssun1
    Reply Vote

    • Vuln still being analyzed

      Technical details on the vulnerability are not yet known (analysis is ongoing). We'll know more about mitigations, etc. later.

      _ryan
      Ryan Naraine
      Reply Vote

    • Beyond that, how about a little advice

      [i]There are signs that the exploits are being injected into third-party sites to redirect targets to malware-laden servers. -//- This threat should be considered very serious because of the widespread distribution that Adobe Flash enjoys on the Windows ecosystem. If this exploit gets seeded on high-traffic Web sites, we could be in for a long clean-up operation.[/i]

      Appreciate you bringing this to our attention, but then how about some interim advice on what to do about it? If no remedial action has yet been proposed by Adobe, do you suggest temporarily disabling Flash and Shockwave? Or would that be an over-reaction at this juncture?

      Adobe Flash Player version 9.0.124.0 still appears to be the latest available for download, the very one that is subject to the code-execution.
      klumper
      Reply Vote

      • Advice that works anyway: NoScript

        Whatever the outcome of the ongoing analysis will be, this advice is guaranteed to work.
        [u]http://hackademix.net/2008/05/28/unpatched-flash-vulnerability-widely-exploited-in-the-wild/#noscript[/u]
        Giorgio Maone
        Reply Vote
CNET Join | Log In | Privacy | Cookies Close