After suspecting a zero day exploit was being used to attack the latest version of Flash Player (220.127.116.11), Symantec says the call was a mistake — it was an exploit for versions 18.104.22.168 and prior.
Yesterday it was feared that hackers were using a malicious ShockWave Flash file which Symantec researchers thought was a zero day exploit for the latest version of Flash Player.
Symantec, however, shied away from confirming that it was a zero day exploit, as it appears to be designed for a flaw which Adobe patched in April, prior to it being publicly disclosed by an IBM security researcher.
"Originally this issue was believed to be unpatched and unknown, but further technical analysis has revealed that it is the previously reported Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability (BID 28695), discovered by Mark Dowd of IBM," Symantec reported on its ThreatCon page today.
Adobe has also confirmed the exploit is not new. "This exploit does NOT appear to include a new, unpatched vulnerability as has been reported elsewhere — customers with Flash Player 22.214.171.124 should not be vulnerable to this exploit," it states on its Product Security Incident Response Team site.
The CEO of security consultancy Novologica, Nishad Herath, who yesterday acquired a sample of the exploit, told ZDNet.com.au today that the error appears to have been caused by a reference in the malicious SWF file to the new version of Flash Player.
"Actually [the code] does have references to the latest version of Flash, but it is not exploiting a new zero day — it is exploiting the old patched vulnerability," he said.
"It means Adobe patched the flaw properly, but Symantec has made a mistake... The exploit writer had made a reference to a SWF file with the name 126.96.36.199.swf, so it may just be that they were planning to add something to that exploit that may work on the new version in the future, should a zero day vulnerability be released... They might have been attempting to make this code base future-proof, but it's of no real relevance [to the exploit]," said Herath.
Adobe recommends updating Flash Player to the latest version since older versions are vulnerable to the exploit which Symantec discovered yesterday.