CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
May 28th, 2008

New Adobe Flash Vulnerability Exploited In Latest Mass SQL Injection Attack

Recent Adobe Flash vulnerability is already abused in another mass compromise through another SQL injection attack. This current malware attack has been traced back to Chinese hackers, once again. They are using a zero-day exploit to infect users with password stealing malware.

This zero-day exploit taking advantage of an unknown vulnerability in Adobe Flash Player, allowing malicious users to install info stealing trojans on affected PCs. Integer overflow in Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier, allows remote attackers to execute arbitrary code via a crafted SWF file with a negative Scene Count value, which passes a signed comparison, is used as an offset of a NULL pointer, and triggers a buffer overflow.

Legitimate sites were found to have been injected with scripts that lead browsers silently to sites hosting exploits for the Flash vulnerability. Upon meeting certain system conditions that allow the exploitation to commence, PCs download and execute info-stealers (like TSPY_UPACK.D) or droppers (like TROJ_DROPPER.NAK), through infected .SWF files SWF_DLOADER.YVM and SWF_DLOADER.YVN, as they are detected by TrendLabs. More patterns in this infection detected as HTML_DLDR.BF, TSPY_UPACK.D, TROJ_DROPPER.NAK, HTML_DLDR.BF, TSPY_UPACK.D, TROJ_DROPPER.NAK.

Some domains in this attack spoof the domain name of legitimate and known phone company Nokia, as well as that of the popular online game Defense of the Ancients (DotA). Other domains are lkjrc.cn and woai117.cn (obviously, since .cn domains cost about 1 cent each).

Here is a list of domains that currently serve malicious files, as posted on Dancho Danchev blog:

tongji123.org
bb.wudiliuliang.com
user1.12-26.net
user1.12-27.net
ageofconans.net
lkjrc.cn
psp1111.cn
zuoyouweinan.com
user1.isee080.net
guccime.net
woai117.cn
wuqing17173.cn
dota11.cn
play0nlnie.com
0novel.com
117276.cn
woai117.cn

At this moment there is no known patch available from Adobe, and no known workaround. Again, avoid visiting unknown sites or use Firefox with NoScript plugin.

Update (May 29): The malicious SWF file found in-the-wild has been found to affect Adobe Flash Player 9.0.115.0 and earlier, not the latest version 9.0.124.0.

According to Symantec this issue was believed to be unpatched and unknown, but further technical analysis has revealed that it is the previously reported Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability (BID 28695), discovered by Mark Dowd of IBM. Adobe has released an official statement noting that Flash Player versions 9.0.124.0 aren’t affected by these attacks and confirming that the SWF files are in fact leveraging this flaw.

Official statement by Adobe.

Users are advised to ensure that Flash is updated to version 9.0.124.0.

Share this item with others:

More on CyberInsecure:
  • Critical Flash Player, Acrobat, Reader Vulnerability Exploited In The Wild
  • Confirmed Zero-day Flash Vulnerability In Latest Adobe Reader And Acrobat 9.1.2, Adobe Flash Player 9 And 10
  • Potential Vulnerability In Adobe Flash
  • Almost 300,000 Webpages Infect Visitors Through Invisible IFrame Link
  • Critical Security Vulnerability Patched In Adobe AIR 1.5

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: New Adobe Flash Vulnerability Exploited In Latest Mass SQL Injection Attack

    5 Responses to “New Adobe Flash Vulnerability Exploited In Latest Mass SQL Injection Attack”

    1. “At this moment there is no known patch available from Adobe, and no known workaround.”

      uhm, if you just use the current version, then you’re protected from those Chinese hackers who followed Mark Dowd’s blueprint.
      http://blogs.adobe.com/psirt

      (The “injection” was to HTML pages, and shows how normal websites are not always protected from hackers inserting evil links into good pages. Those hacked sites just pointed to foreign servers hosting malformed SWF.)

      jd/adobe


    2. The information listed here is incorrect. Check the appropriate security websites and Adobe’s website to see the full details. This issue was addressed in the last Flash Player update.


    3. My contacts in Adobe say this is not true.


    4. Correction… the latest Flash player is immune from this vulnerability 9.0.124. Just fyi.


    5. CyberInsecure Says:
      May 29th, 2008 at 1:20 pm

      Updated. Thanks Zach Stepek, JD, Steve and Corey.


    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
    Click to hear an audio file of the anti-spam word