Adobe Flash zero-day exploit in the wild *Updated*

[Marc57]

Malware hunters have spotted a previously unknown — and unpatched — Adobe Flash vulnerability being exploited in the wild.


http://blogs.zdnet.com/security/?p=1189&tag=nl.e589

Be careful out there

[Lisandro]

Does avast protects against this one?

[Marc57]

Does avast protects against this one?

A very good question Tech, Let's hope someone from Alwil can answer it.

[FreewheelinFrank]

More reports:

http://tailrank.com/6068446/Adobe-Flash-Player-SWF-File-Unspecified-Remote-Code-Execution-Vulnerability

http://ddanchev.blogspot.com/2008/05/malware-attack-exploiting-flash-zero.html

http://isc.sans.org/diary.html?storyid=4465

http://news.cnet.com/8301-10789_3-9952547-57.html

[kubecj]

Added the detection to the internal test version, should be out today.

[Marc57]

Thanks kubecj.

[polonus]

Hi malware fighters,

Here a list of sites to block:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080527

polonus

[Marc57]

Thanks for the info polonus.

[CharleyO]

***

Thanks for the link, Polonus.   


***

[Marc57]

Update, it looks like the 9.0.124.0 plug-in version of flash player is immune to this attack. Make sure yours is up to date.


http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=spam__malware_and_vulnerabilities&articleId=9090218&taxonomyId=85

[polonus]

Hi marc57,

Thanks for the heads up. I already have this latest version, and other are advised to do so without delay at: http://www.adobe.com/products/flashplayer/

Still 40% of all Windows users did not update, according to numbers from Online Software Inspector and Personal Software Inspector links: https://psi.secunia.com/ and http://secunia.com/software_inspector/
36% of PSI users did not update to the latest 9.0.124.0 version. If these are the numbers for security aware people, the numbers for unprotected and vulnerable common users must be many times higher.
However the users of Firefox with NoScript blocking must be considered as also secure,

polonus

[drhayden1]

Security sites are warning of increased dangers of malformed Shockwave Flash (SWF) objects. I've read reports of possibly 250,000 web pages hosting this new exploit. It is important to move to the latest version of Flash if prompted or manually update if you are not on version 9.0.124.

Adobe test site which will show latest version (should be 9.0.124)
http://kb.adobe.com/selfservice/viewConten...rnalId=tn_15507

How to manually update if needed (be sure to uncheck Google Toolbar)
http://www.adobe.com/products/flashplayer/

AVERT reports that recent sites affected by mass hacking attacks are being redirected to load malicious SWF files. These exploits are being programmed for specific versions of Flash to broaden the scope of attacks. Finally, please see last AVERT link (05/28), as they are researching a new variant that might possibly exploit Flash where it is fully up-to-date (e.g., 9.0.124).

Adobe Flash Player Flaw - Massive Exploitation reported
http://www.frsirt.com/english/

QUOTE: Adobe Flash Player Flaw Massive Exploitation -- The Adobe Flash Player vulnerability which was disclosed this week by Symantec and believed to be unknown (zero-day) is a previously known issue that was patched with version 9.0.124.0. Multiple compromised web pages are currently exploiting this flaw and distributing malware.

ADDITIONAL LINKS
http://www.frsirt.com/english/advisories/2008/1158
http://isc.sans.org/diary.html?storyid=4474
http://secunia.com/advisories/30404/
http://www.securityfocus.com/bid/29386
http://www.avertlabs.com/research/blog/ind...exploit-update/

QUOTE: Here's a quick update to the earlier post on a new unpatched Adobe Flash vulnerability. Through looking for sites serving these SWF exploits we've found a connection with recent mass hacks. Hacked sites reference an external script, just as they have for quite some time. But, the external scripts now reference an SWF file.

New variants emerging - AVERT researching claims that currently patched systems may be vulnerable?
http://www.avertlabs.com/research/blog/ind...ploit-update-2/

[DavidR]

Dan, when you are posting links many don't work.
e.g. all the ones with ... in the URL.

This is because where you are copying them from whatever source, they shorten the displayed URL using the .... in the displayed link, the underlying URL of the link you copy from should have the full path.

[polonus]

Hi DavidR,

The most interesting link: http://www.avertlabs.com/research/blog/index.php/2008/05/28/flash-player-exploit-update-2/

pol

[kubecj]

Our detection in the last VPS should be very, very generic (I'm myself a bit afraid that it may sometimes FP on broken flash files), so avast users should be protected.

I'm not sure I understand the NoScript remark? The vulnerability is in Flash, the javascript around is just to hide the fact.