20,000 Web pages help exploit 'patched' Flash flaw

A possible zero day exploit has been discovered for a flaw in Flash thought to have been patched by Adobe a month ago.

A possible zero day exploit has been discovered for a flaw in Flash thought to have been patched by Adobe a month ago.

Symantec researchers claim the exploit has several different payloads, including one to steal passwords from systems with the vulnerable software. Affected versions of Adobe Flash Player include 9.0.124.0 (latest version) and 9.0.115.0.

Around 20,000 legitimate Web pages have been manipulated, likely via SQL-injection vulnerabilities, to redirect browsers to domains in China which host the exploit, according to Vincent Weafer, senior director of development for Symantec's Security Response team.

The buffer overflow flaw being exploited occurs when processing Shock Wave Files (SWF) and was meant to be resolved by a patch Adobe issued in April, according to Symantec. However, there's still some uncertainty as to whether the exploit discovered today uses exactly the same flaw patched last month.

"We believe this is very similar to a previous reported vulnerability that was tracked down by IBM. However, the exploit we found in the wild is successful against the latest release of Adobe Flash, so we believe it's a variation of that vulnerability," Weafer said.

Last month, IBM security researcher Mark Dowd released a research note predicting a rise in use of Flash flaws to exploit computer systems.

"The reason we put out the research is to draw attention to how serious these types of vulnerabilities can be," Dowd told ZDNet.com.au at the time.

Adobe says it is investigating the "potential SWF vulnerability", however, the company has not yet released further information.

Novologica security consultant, Nishad Herath, said it doesn't matter whether Adobe confirms the exploit is a zero day.

"It exploits the latest version so it doesn't matter too much whether they call it a variant of an old flaw that wasn't patched properly. It makes little difference," Herath told ZDNet.com.au.

Symantec's Weafer said consumers and businesses should disable Java script, ensure that data execution prevention is enabled in Windows and block access to malicious IP addresses. He added that most antivirus and intrusion prevention systems will detect the malware.