Wednesday, July 22, 2009
Another Day, Another Adobe Zero-Day Exploit
The latest zero-day exploit originally looked like it only impacted PDF files, so naturally it was assumed that it was an Adobe Reader issue. Further forensics revealed that it was actually a Flash vulnerability, the code of which is shared between Adobe's Flash Player and Reader products.
This is bad news on a couple of levels, the primary one being that it increases the number of attack vectors to leverage PDF files embedded with malicious Flash, or the bad guys can simply try to exploit the Flash Player itself. Right now the exploit is dropping a trojan onto the victim's machine.
The flaw has been known since late in 2008, but it appears to have only recently been crafted for exploit via a heap spray technique. Since Flash is operating system independant and incorporated into nearly every web browser, there's really no safety net for anyone out there yet.
Adobe has limited information available on their Product Security Incident Response Team blog.
US-CERT is recommending the following workarounds:
• Disable Flash in Adobe Reader 9 on Windows platforms by renaming the following files: "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll" and "%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll".
• Disable Flash Player or selectively enable Flash content as described in the "Securing Your Web Browser" document.
Update 10:29 PM - Not a single antivirus product is triggering on the malicious .swf files
Image by GoGap via flickr