Adobe Flash Player SWF File Zero-Day Remote Code Execution Vulnerability
Adobe Flash Player is prone to an unspecified remote code-execution vulnerability. An attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. Adobe Flash Player 9.0.115.0 and 9.0.124.0 are vulnerable; other versions may also be affected.
According to Symantec, this issue is being actively exploited in the wild and hence the DeepSight ThreatCon is being raised to Level 2. The flaw occurs when processing a malicious SWF file. Currently two Chinese sites are known to be hosting exploits for this flaw: wuqing17173.cn and woai117.cn. The sites appear to be exploiting the same flaw, but are using different payloads. At the moment these domains do not appear to be resolving, but they may come back in the future. Further analysis into these attacks, specifically the woai117.cn attack, uncovered another domain involved dota11.cn.
Google search reports approximately 20,000 web pages (not necessarily distinct servers or domains) injected with a script redirecting users to this malicious site. A wide variety of legitimate third-party sites appear to be affected. The code then redirects users to sites hosting malicious Flash files exploiting this issue. According to ZDNet, this zero-day flaw has been already added to the Chinese version of the MPack exploit kit.
Currently there are no vendor-supplied patches. Users are strongly advised to disable Flash until patches are available, avoid browsing to untrustworthy sites and deploy script-blocking mechanisms, such as NoScript for Firefox.
Update (May 29): The malicious SWF file found in-the-wild has been found to affect Adobe Flash Player 9.0.115.0 and earlier, not the latest version 9.0.124.0.
According to Symantec this issue was believed to be unpatched and unknown, but further technical analysis has revealed that it is the previously reported Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability (BID 28695), discovered by Mark Dowd of IBM. Adobe has released an official statement noting that Flash Player versions 9.0.124.0 aren’t affected by these attacks and confirming that the SWF files are in fact leveraging this flaw.
Official statement by Adobe.
Users are advised to ensure that Flash is updated to version 9.0.124.0.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.