Adobe has finally issued an almost-definitive statement on the reports of a zero-day attack targeting its flagship Flash Player, suggesting (kinda) that the vulnerability is already patched.
In a progress report posted to the official Adobe PSIRT blog, David Lenoe stops short of making definitive statements on the actual vulnerability, using phrases like "appears to be" and "should not be vulnerable" but it's clear that Adobe believes these attacks are tied to an issue that was patched with Flash Player 126.96.36.199.
The flash.swf file exploits an unpatched vulnerability in Flash. (Note: This differs from Adobe's latest statement)
The exploit payload uses familiar techniques to lookup API functions by a 32-bit hash value, and uses URLMON.DLL to download an executable to C:\6123t.exe and runs it.
The downloaded executable disables Kaspersky Anti-Virus (what, they don’t have any others in China?) extracts a UPX-packed DLL (Ow.dll) from its resources segment and loads it as a keyboard hook DLL.
The keyboard hook targets World Of Warcraft and uploads captured information to the attacker’s server disguised as HTTP requests.
My Zero Day blogging colleague Dancho Danchev does a deep-dive analysis of the attacks, which are using SQL injection to plant executables on thousands of compromised Web sites.
The current malware attack has been traced back to Chinese blackhats, who are using a zero day to infect users with password stealers, moreover, one of the domains serving the Adobe zero day has been sharing the same IP with four of the malware domains in the recent waves of massive SQL injection attacks, indicating this incident and the previous ones are connected.
Whether this is a zero-day issue or not -- I suspect it's a modification/variation of Mark Dowd's groundbreaking null pointer dereference exploit (.pdf) -- there are some important steps that every Windows user (Flash is a monoculture after all!) should take to limit the damage:
Patch your Flash installation. Adobe provides this page to help determine your Flash version. Make sure you're running Flash Player 188.8.131.52.
Block outgoing access to the list of IP addresses published by Shadowserver.org.
Enable DEP (Data Execution Prevention) on Windows systems.
As a temporary measure, set the kill bit on CLSID d27cdb6e-ae6d-11cf-96b8-444553540000. (Note: This will affect sites that are heavy on Flash content. Errata Security provides an AxBan tool to automate this process.
Ensure anti-virus software is updated with the latest signatures.
Avoid browsing to suspicious sites or strange links that arrive via e-mail or IM messages.
Browse the Web with low-rights accounts wherever possible.