CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
May 27th, 2008

Adobe Flash Player SWF File Zero-Day Remote Code Execution Vulnerability

Adobe Flash Player is prone to an unspecified remote code-execution vulnerability. An attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. Adobe Flash Player 9.0.115.0 and 9.0.124.0 are vulnerable; other versions may also be affected.

According to Symantec, this issue is being actively exploited in the wild and hence the DeepSight ThreatCon is being raised to Level 2. The flaw occurs when processing a malicious SWF file. Currently two Chinese sites are known to be hosting exploits for this flaw: wuqing17173.cn and woai117.cn. The sites appear to be exploiting the same flaw, but are using different payloads. At the moment these domains do not appear to be resolving, but they may come back in the future. Further analysis into these attacks, specifically the woai117.cn attack, uncovered another domain involved dota11.cn.

Google search reports approximately 20,000 web pages (not necessarily distinct servers or domains) injected with a script redirecting users to this malicious site. A wide variety of legitimate third-party sites appear to be affected. The code then redirects users to sites hosting malicious Flash files exploiting this issue. According to ZDNet, this zero-day flaw has been already added to the Chinese version of the MPack exploit kit.

Currently there are no vendor-supplied patches. Users are strongly advised to disable Flash until patches are available, avoid browsing to untrustworthy sites and deploy script-blocking mechanisms, such as NoScript for Firefox.

Update (May 29): The malicious SWF file found in-the-wild has been found to affect Adobe Flash Player 9.0.115.0 and earlier, not the latest version 9.0.124.0.

According to Symantec this issue was believed to be unpatched and unknown, but further technical analysis has revealed that it is the previously reported Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability (BID 28695), discovered by Mark Dowd of IBM. Adobe has released an official statement noting that Flash Player versions 9.0.124.0 aren’t affected by these attacks and confirming that the SWF files are in fact leveraging this flaw.

Official statement by Adobe.

Users are advised to ensure that Flash is updated to version 9.0.124.0.

Share this item with others:

More on CyberInsecure:
  • Adobe Fixes Clickjacking Vulnerability In Flash Player 10
  • Malware Served Through Flash Exploits By MSN Norway
  • New Adobe Flash Vulnerability Exploited In Latest Mass SQL Injection Attack
  • Critical Security Vulnerability Patched In Adobe AIR 1.5
  • Critical Flash Player, Acrobat, Reader Vulnerability Exploited In The Wild

    • Posted in Adobe, Malware, Mass Web Attacks, Software, Vulnerabilities | Print This Post Print This Post

    This entry was posted on Tuesday, May 27th, 2008 at 1:40 pm and is filed under Adobe, Malware, Mass Web Attacks, Software, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Adobe Flash Player SWF File Zero-Day Remote Code Execution Vulnerability

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »