Thursday

0-Day in Adobe Flash, also executable from Acrobat Reader (updated)



SANS ISC is one of the first to report on this:

First, several AV companies reported that they detected this 0-day exploit in PDF files, so at first it looked like an Adobe Reader vulnerability. However, the vulnerable component is actually the Flash player or, better said, the code used by the Flash player which is obviously shared with Adobe Reader/Acrobat. This increases the number of vectors for this attack: the malicious Flash file can be embedded in PDF documents which will cause Adobe Reader to execute it OR it can be used to exploit the Flash player directly, making it a drive-by attack as well.

And indeed, when tested with Internet Explorer and the latest Flash player (version 10), the exploit silently drops a Trojan and works "as advertised". Another interesting thing I noticed is that the Trojan, which is downloaded in the second stage, is partially XOR-ed – the attackers probably did this to evade IDSes or AV programs scanning HTTP traffic. At the moment, the detection for both the exploit and the Trojan is pretty bad (only 7/41 for the Trojan, according to VirusTotal).

It appears that even when JavaScript support is disabled in Adobe Reader that the exploit still works, so at the moment there are no reliable protection mechanisms (except not using Adobe Reader?). Regarding Flash, NoScript is your best help here, of course.
An alternative FF plugin is Flashblock. For IE, you can deploy a killbit.

Applying the kill bit for the following CLSID will prevent the Flash plugin from running:

{D27CDB6E-AE6D-11cf-96B8-444553540000}

More information about how to set the kill bit is available in Microsoft Support Document 240797.

So be careful with handling pdf files for now. According to some tweets from AV experts, this exploit is being used in PDFs in targeted attacks.

Update: Adobe has a summary on their website on the issue including a way on how to disable the swf component on Acrobat Reader)
Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF that contains SWF content. Depending on the product, the authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll or C:\Program Files\Adobe\Acrobat 9.0]\Acrobat\authplay.dll. Windows Vista users should consider enabling UAC (User Access Control) to mitigate the impact of a potential exploit. Flash Player users should exercise caution in browsing untrusted websites. Adobe is in contact with Antivirus and Security vendors regarding the issue and recommend users keep their anti-virus definitions up to date. (Source: Adobe PSIRT)
Adobe hopes to release a patch for the issue by the 30th of July.

(Photo under creative commons from Arthaey's photostream)

No comments: