Yesterday Symantec elevated its ThreatCon rating as a response to an infection involving about 20,000 web pages (250,000 according to other sources), and probably still actively spreading through an automated SQL injection.

The main news is that this time an apparently unpatched vulnerability affecting Adobe Flash Player is being exploited, making the attack on end-users effectively cross-browser and potentially cross-platform:

The attack uses multiple layers of SWF redirection and generates URLs designed to target specific Flash version and browser combinations, supporting both Internet Explorer and Firefox.

The Adobe Product Security Incident Response Team reports of being aware of this problem and cooperating with the antivirus company for a precise assessment.

In the meanwhile, according to Symantec, you should:

Avoid browsing to untrustworthy sites. Consider disabling or uninstalling Flash until patches are available. Deploy script-blocking mechanisms, such as NoScript for Firefox, to explicitly prevent SWFs from loading on all but explicitly trusted sites. Temporarily set the kill bit on CLSID d27cdb6e-ae6d-11cf-96b8-444553540000 until patches availability is confirmed.

Additional notes for NoScript users

Since the offending SWF files are served from external ad-hoc Chinese domains, (wuqing17173.cn, woai117.cn and dota11.cn at this moment,very unlikely to be in your whitelist), even if a trusted site was infected you should still be protected.

However, if you want maximum protection, it’s a good time to check NoScript Options|Plugins|Apply these restrictions to trusted sites as well.
This option turns NoScript in an effective security-oriented replacement of the FlashBlock extension, working also with Java, Silverlight and other potentially vulnerable plugins such as QuickTime.
All the active embedded content pieces, no matter where they come from, will be blocked preemptively and you will be able to load them selectively by clicking on visual placeholders.

Update

(from PSIRT’s blog):

This exploit appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 9.0.124.0. We strongly encourage everyone to download and install the latest Flash Player update, 9.0.124.0.

Since the currently exploited vulnerability appears to be patched, but the attacking vector explicitly tests for the 9.0.124.0 player and can perform dynamic redirects, I’d obviously upgrade but still stay on the cautious side, deploying preemptive countermeasures just in case they’re saving the real zero-day for a second weave…

7 Responses to “Unpatched Flash Vulnerability Widely Exploited in the Wild”

  1. #1 meathive says:

    It’s got to be comforting knowing that the tool you’ve spent so much time developing continues to block the latest attacks.

    Greets!

  2. #2 Peng’s links for Wednesday, 28 May « I’m Just an Avatar says:

    […] Mozilla: Unpatched Flash Vulnerability Widely Exploited in the Wild. There’s a new vulnerability in Adobe Flash Player 9 (formerly the Macromedia Flash Player). […]

  3. #3 hackademix.net » Ronald, Stop Scaring Poor AVG! says:

    […] Unpatched Flash Vulnerability Widely Exploited in the Wild 28 05 2008 […]

  4. #4 Peng’s links for Wednesday, 28 May » lolcat.us says:

    […] Mozilla: Unpatched Flash Vulnerability Widely Exploited in the Wild. There’s a new vulnerability in Adobe Flash Player 9 (formerly the Macromedia Flash Player). […]

  5. #5 therube says:

    The Adobe Product Security Incident Response Team (PSIRT) link was updated to indicate that the current (for about two months now) version of Adobe Flash (9.0.124.0) resolves the issue?

  6. #6 Giorgio says:

    @therube:
    I updated this blog post accordingly too, thanks.

  7. #7 hackademix.net » Block Rick! says:

    […] bit more worrisome, though, if you used to believe FlashBlock could improve your security against Flash vulnerabilities. Your next surprise video star may be way more malicious than […]

Bad Behavior has blocked 4423 access attempts in the last 7 days.