|
SUMware2
Premium Member
2008-May-28 12:41 am
Attack code targets new Adobe Flash vulnFrom The Register27th May 2008 - quote: Security researchers have discovered attack code in the wild that targets a previously unknown vulnerability in the latest version of Adobe Flash.
At least 20,000 web pages have been found to carry links to a site that hosts malicious Flash applets that exploit the weakness, according to Symantec researchers. The malicious links are likely to be the result of SQL injections, an attack method that's grown rampant in recent weeks.
The links silently redirect end users to a site that preys on a vulnerability in Flash Player versions 9.0.124.0 and older, according to this advisory from the Sans Internet Storm Center.
The seriousness of the vulnerability and the extent of the attack are undetermined at time of writing. According to Symantec, "an attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions."
In a separate advisory, Sans is reporting the hosting of malicious SWF files, but it's unclear if they are related to the recently discovered vulnerability or to one that has already been patched.
Adobe says it's investigating the Symantec report.
Stay tuned. |
|
Cabal Premium Member join:2007-01-21 |
Cabal
Premium Member
2008-May-28 8:13 am
Looks like Firefox + NoScript users are not affected unless they choose the manually run the malicious Flash. Gnash also not affected. |
|
|
hellospank
Anon
2008-May-28 10:12 am
said by Cabal:Looks like Firefox + NoScript users are not affected. NoScript doesn't protect you, because a page can autoplay a Flash movie even if you have javascript disabled. |
|
EliteKiss My Ass join:2002-10-03 New Haven, CT |
to SUMware2
This is the first true zeroday exploit I've seen in a while.
Recommendation: Nuke flash until it's patched by Adobe in a week or so. |
|
CudniLa Merma - Vigilado MVM join:2003-12-20 Someshire |
to hellospank
said by hellospank :said by Cabal:Looks like Firefox + NoScript users are not affected. NoScript doesn't protect you, because a page can autoplay a Flash movie even if you have javascript disabled. NoScript block flash irrespective or in addition to javascript Cudni |
|
visormiser Premium Member join:2004-02-10 Alexandria, VA |
to SUMware2
This attack does not appear to be attacking a new vulnerability or zero day. Both Symantec and the SANS Internet Storm Center have retracted their posts calling this a new vulnerability. From the Washington Post's Security Fix Blog: Further analysis of the sites distributing the malicious code suggests that the attack does not work against the latest version of Flash for either Internet Explorer or Firefox. So, users with the latest version of Flash should be protected from this attack. Symantec's initial writeup clashed with the conclusions I heard about Tuesday afternoon from researchers at Reston, Va., based iDefense. Matt Richard, director of rapid response for iDefense, told me the exploit appears to mimic a method written about in a white paper published last month by Mark Dowd, a researcher at IBM's Internet Security Systems. Symantec updated its initial advisory late Tuesday evening, to confirm that the bad guys indeed appear to have adopted the technique Dowd described. There's more here: » blog.washingtonpost.com/ ··· r_f.html |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
to SUMware2
NOTE: Further research indicates that this vulnerability is the same issue described in BID 28695 (Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability), so this BID is being retired. » www.securityfocus.com/bi ··· /discussBID 28695Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability Adobe Flash Player is prone to a remote buffer-overflow vulnerability when handling multimedia files with certain tags. An attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. Adobe Flash Player 9.0.115.0 and earlier versions are affected. NOTE: This issue is has been fixed in all versions of Adobe Flash Player 9.0.124.0.Initial investigations suggested that the vulnerability had not been patched in the standalone Adobe Flash Player version 9.0.124.0 for Linux and the standalone Adobe Flash Player version 9.0.124.0 with debug capabilities for Microsoft Windows. The observed behaviour that led to this initial conclusion has since been confirmed by Adobe as being by design. » www.securityfocus.com/bi ··· /discuss |
|
Libra Premium Member join:2003-08-06 USA |
to visormiser
That's very good news! Thanks Name Game and Visormisor for letting us know.
Sincerely, Libra |
|
|
mysec Premium Member join:2005-11-29
1 recommendation |
to SUMware2
____________________________________________________________ With these Flash exploits, it seems to me that with proper security in place, one is protected while a patch or upgrade is forthcoming. 1) If you have a Flash blocker in place which inserts a Placemarker, you can select whether or not to run a Flash applet, as above in the screen shot. Knowing the web site influences your decision, of course. From the information released in the advisories, the user is redirected to the malicious site, whereupon in this case, the malicious Flash Object would show up as a Placemarker. The user, realizing that she/he has been redirected, then just exits the site with no compromise. 2) As analyzed by sans.org, after all of the fancy obfuscated code has run, the same old result occurs: download malware -- Indeed, hxxp://www.play0nlnie.com/ax.exe is downloaded, -- which is easily blocked by many security products today. This evening, sans.org analyzed another attack: » isc.sans.org/diary.html? ··· yid=4477This ones uses encoded VBScript to deliver. ... strings flash.swf shows us another possible malware location:
urlmon.dll
hxxp://www.jj120.com/inc/f_ckjp.exe Note that it doesn't matter what the trigger method is: VBS, Shellcode in Buffer Overflow -- if the result is to download malware, it's easily prevented by: HIPS products Products like ProcessGuard Software Restriction Policies Vista's UAC |
|
mysec
1 recommendation |
mysec
Premium Member
2008-May-29 4:51 am
A closer look at the analysis of the new exploit posted at sans.orgreveals that if the Flash exploit fails, an iframe loads another html page which downloads the malware by remote code execution. Evidently it exploits a IE vulnerability, since it would not work in Opera. See my test: Test |
|
CudniLa Merma - Vigilado MVM join:2003-12-20 Someshire |
to SUMware2
|
|
bcool Premium Member join:2000-08-25 |
to Cudni
said by Cudni:said by hellospank :said by Cabal:Looks like Firefox + NoScript users are not affected. NoScript doesn't protect you, because a page can autoplay a Flash movie even if you have javascript disabled. NoScript block flash irrespective or in addition to javascript Cudni Thanks Cudni. Yup. NoScript will not allow for any "autoplay" of flash unless you configure accordingly. |
|