dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1605
SUMware2
Premium Member
join:2002-05-21

SUMware2

Premium Member

Attack code targets new Adobe Flash vuln

From The Register
27th May 2008 -
quote:
Security researchers have discovered attack code in the wild that targets a previously unknown vulnerability in the latest version of Adobe Flash.

At least 20,000 web pages have been found to carry links to a site that hosts malicious Flash applets that exploit the weakness, according to Symantec researchers. The malicious links are likely to be the result of SQL injections, an attack method that's grown rampant in recent weeks.

The links silently redirect end users to a site that preys on a vulnerability in Flash Player versions 9.0.124.0 and older, according to this advisory from the Sans Internet Storm Center.

The seriousness of the vulnerability and the extent of the attack are undetermined at time of writing. According to Symantec, "an attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions."

In a separate advisory, Sans is reporting the hosting of malicious SWF files, but it's unclear if they are related to the recently discovered vulnerability or to one that has already been patched.

Adobe says it's investigating the Symantec report.
Stay tuned.

Cabal
Premium Member
join:2007-01-21

Cabal

Premium Member

Looks like Firefox + NoScript users are not affected unless they choose the manually run the malicious Flash. Gnash also not affected.

hellospank
@ms22.vnn.vn

hellospank

Anon

said by Cabal:

Looks like Firefox + NoScript users are not affected.
NoScript doesn't protect you, because a page can autoplay a Flash movie even if you have javascript disabled.

Elite
Kiss My Ass
join:2002-10-03
New Haven, CT

Elite to SUMware2

Member

to SUMware2
This is the first true zeroday exploit I've seen in a while.

Recommendation: Nuke flash until it's patched by Adobe in a week or so.

Cudni
La Merma - Vigilado
MVM
join:2003-12-20
Someshire

Cudni to hellospank

MVM

to hellospank
said by hellospank :
said by Cabal:

Looks like Firefox + NoScript users are not affected.
NoScript doesn't protect you, because a page can autoplay a Flash movie even if you have javascript disabled.
NoScript block flash irrespective or in addition to javascript

Cudni
visormiser
Premium Member
join:2004-02-10
Alexandria, VA

visormiser to SUMware2

Premium Member

to SUMware2
This attack does not appear to be attacking a new vulnerability or zero day.

Both Symantec and the SANS Internet Storm Center have retracted their posts calling this a new vulnerability.

From the Washington Post's Security Fix Blog:

Further analysis of the sites distributing the malicious code suggests that the attack does not work against the latest version of Flash for either Internet Explorer or Firefox. So, users with the latest version of Flash should be protected from this attack.

Symantec's initial writeup clashed with the conclusions I heard about Tuesday afternoon from researchers at Reston, Va., based iDefense. Matt Richard, director of rapid response for iDefense, told me the exploit appears to mimic a method written about in a white paper published last month by Mark Dowd, a researcher at IBM's Internet Security Systems.

Symantec updated its initial advisory late Tuesday evening, to confirm that the bad guys indeed appear to have adopted the technique Dowd described.

There's more here:

»blog.washingtonpost.com/ ··· r_f.html

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to SUMware2

Premium Member

to SUMware2
NOTE: Further research indicates that this vulnerability is the same issue described in BID 28695 (Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability), so this BID is being retired.

»www.securityfocus.com/bi ··· /discuss

BID 28695
Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability

Adobe Flash Player is prone to a remote buffer-overflow vulnerability when handling multimedia files with certain tags.

An attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.

Adobe Flash Player 9.0.115.0 and earlier versions are affected.

NOTE: This issue is has been fixed in all versions of Adobe Flash Player 9.0.124.0.

Initial investigations suggested that the vulnerability had not been patched in the standalone Adobe Flash Player version 9.0.124.0 for Linux and the standalone Adobe Flash Player version 9.0.124.0 with debug capabilities for Microsoft Windows. The observed behaviour that led to this initial conclusion has since been confirmed by Adobe as being by design.

»www.securityfocus.com/bi ··· /discuss
Libra
Premium Member
join:2003-08-06
USA

Libra to visormiser

Premium Member

to visormiser
That's very good news! Thanks Name Game and Visormisor for letting us know.

Sincerely, Libra
mysec
Premium Member
join:2005-11-29

1 recommendation

mysec to SUMware2

Premium Member

to SUMware2
Click for full size
____________________________________________________________

With these Flash exploits, it seems to me that with proper security in place, one is protected while a patch or upgrade is forthcoming.

1) If you have a Flash blocker in place which inserts a Placemarker, you can select whether or not to run a Flash applet, as above in the screen shot. Knowing the web site influences your decision, of course.

From the information released in the advisories, the user is redirected to the malicious site, whereupon in this case, the malicious Flash Object would show up as a Placemarker. The user, realizing that she/he has been redirected, then just exits the site with no compromise.

2) As analyzed by sans.org, after all of the fancy obfuscated code has run, the same old result occurs: download malware --
Indeed, hxxp://www.play0nlnie.com/ax.exe is downloaded,

-- which is easily blocked by many security products today.

This evening, sans.org analyzed another attack:
»isc.sans.org/diary.html? ··· yid=4477
This ones uses encoded VBScript to deliver.
...
strings flash.swf shows us another possible malware location:

urlmon.dll

hxxp://www.jj120.com/inc/f_ckjp.exe

Note that it doesn't matter what the trigger method is: VBS, Shellcode in Buffer Overflow -- if the result is to download malware, it's easily prevented by:

HIPS products
Products like ProcessGuard
Software Restriction Policies
Vista's UAC



mysec

1 recommendation

mysec

Premium Member

A closer look at the analysis of the new exploit posted at

sans.org

reveals that if the Flash exploit fails, an iframe loads another html page which downloads the malware by remote code execution. Evidently it exploits a IE vulnerability, since it would not work in Opera.

See my test:

Test


Cudni
La Merma - Vigilado
MVM
join:2003-12-20
Someshire

Cudni to SUMware2

MVM

to SUMware2
another article
»www.securityfocus.com/brief/744

Cudni

bcool
Premium Member
join:2000-08-25

bcool to Cudni

Premium Member

to Cudni
said by Cudni:
said by hellospank :
said by Cabal:

Looks like Firefox + NoScript users are not affected.
NoScript doesn't protect you, because a page can autoplay a Flash movie even if you have javascript disabled.
NoScript block flash irrespective or in addition to javascript

Cudni
Thanks Cudni. Yup. NoScript will not allow for any "autoplay" of flash unless you configure accordingly.