Wednesday, July 22, 2009

Another Day, Another Adobe Zero-Day Exploit

It's really beginning to look like Adobe will never, ever get their act together when it comes to security.

The latest zero-day exploit originally looked like it only impacted PDF files, so naturally it was assumed that it was an Adobe Reader issue. Further forensics revealed that it was actually a Flash vulnerability, the code of which is shared between Adobe's Flash Player and Reader products.

This is bad news on a couple of levels, the primary one being that it increases the number of attack vectors to leverage PDF files embedded with malicious Flash, or the bad guys can simply try to exploit the Flash Player itself. Right now the exploit is dropping a trojan onto the victim's machine.

Having Javascript disabled in Reader doesn't even help, since it's Flash being exploited. Not only have malicious sites sprung up hosting the zero-day, but reports are coming in that drive-by attacks are also in progress, executed via injecting malicious links into otherwise legitimate web sites.

The flaw has been known since late in 2008, but it appears to have only recently been crafted for exploit via a heap spray technique. Since Flash is operating system independant and incorporated into nearly every web browser, there's really no safety net for anyone out there yet.

Adobe has limited information available on their Product Security Incident Response Team blog.

US-CERT is recommending the following workarounds:

• Disable Flash in Adobe Reader 9 on Windows platforms by renaming the following files: "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll" and "%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll".
• Disable Flash Player or selectively enable Flash content as described in the "Securing Your Web Browser" document.

Update 10:29 PM - Not a single antivirus product is triggering on the malicious .swf files

Image by GoGap via flickr

No comments:

Post a Comment

Please tell me what you think.