Adobe Flash 0-day in the wild..

It’s back again to haunt Adobe – a new 0-day was confirmed by the inventors of the PDF format yesterday. Adobe released an advisory to confirm the vulnerability in Flash Player being exploited in the wild.

The vulnerability (CVE-2011-0609) exists in Adobe Flash Player 10.2.152.33 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems (Adobe Flash Player 10.2.154.18 and earlier for Chrome users), Adobe Flash Player 10.1.106.16 and earlier versions for Android. Even the authplay.dll component that ships with Adobe Reader and Acrobat X is affected. According to Adobe -

“This vulnerability (CVE-2011-0609) could cause a crash and potentially allow an attacker to take control of the affected system.”

The vulnerability is being exploited via a Excel file (.xls) embedded with a malicious Flash file (.swf). Once the malicious excel file is executed, the payload is known to connect  to “good.mincesur.com (119.70.119.30)” possibly to download more malware.

There are reports of the malicious excel file being delivered through email as an attachment with probably the usual dose of phishing content.  It seems to be a logical move by the attackers – since the exploit vector via Adobe Reader is subverted by the Reader X’s sandbox (protected) mode, Microsoft Office seems to be the next perfect delivery mechanism for such vulnerabilities. Apparently, the protected mode is also a reason for Reader X patch to come a little late (June) ! I won’t be too surprised if we start seeing more such attacks that involve piggy-backing of two different software components in the future.

Talking about targeted attacks, Google recently confirmed that it was a victim of a highly targeted and apparently politically motivated attack that involved abuse of another publicly-disclosed Internet Explorer 0-day – the MHTML vulnerability.

Adobe has promised a emergency patch for this vulnerability but users will have to wait till 21st March for the patch to be available. In the mean time, I would suggest users to avoid opening excel attachments received from unknown or un-trusted sources and watch this space for further updates !

Neeraj Thakar

(18/03/2011) Update1:

Some more technical details have been disclosed since the news about the Flash 0-day started making rounds.

While Adobe prepares for the patch release, Office 2010 and 2007 users have some relief as Microsoft has published some workarounds to prevent the exploit from working. For Excel 2007 users, disabling “all controls” from the “Trust Center” ActiveX options prevents the flash object from loading, thus preventing the exploit from working.

Excel Tust Center ActiveX settings

However, you might lose other functionality since this option can potentially break other add-ons and ActiveX controls. So, be sure to test the changes out in your environment before deploying on multiple systems. As for Office 2010 users, they are not vulnerable to this since Office 2010 enables DEP by default and the current exploit does not use any DEP bypass mechanisms.

Beyond this, one can use Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) to help prevent the exploit from working. It provides additional layer of security mechanisms that prevent the exploit from working.

While these workarounds will prevent the exploit from working via Excel, the vulnerability is in Flash and can be triggered from the browser also. So, choosing a browser that uses DEP by default such as Internet Explorer 8/9 or Firefox with NoScript/NoFlash add-on will help. Incidentally, Google Chrome has already released a new version (10.0.648.134) that includes a patch that plugs this Flash vulnerability.

(23/03/2011) Update 2:

Adobe has released an update for the flash player (version 10.2.153.1 for windows). We recommend all users to upgrade to this new version ASAP ! Adobe Reader X users though not affected by this vulnerability, will have to wait till 14th June to get the update.

This entry was posted in Vulnerabilities. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>