Slashdot Mirror
Adobe Flash Zero-Day Attack Underway
Robellus writes "Security researchers have found evidence of a previously unknown Adobe Flash vulnerability being exploited in the wild. The zero-day flaw has been added to the Chinese version of the MPack exploit kit and there are signs that the exploits are being injected into third-party sites to redirect targets to malware-laden servers. From the article: 'Continued investigation reveals this issue is fairly widespread. Malicious code is being injected into other third-party domains (approximately 20,000 web pages) most likely through SQL-injection attacks. The code then redirects users to sites hosting malicious Flash files exploiting this issue.'"
NoScript is like a condom. It will only protect you if you use it properly. If you know one of your lovers is sleeping around with hundreds of others, perhaps it is time to see someone else. Otherwise you're going to get the HIV^Wmalware.
That's why you should be using Gnash. Monoculture (all Flash being played by Adobe Flash player) is a bad thing when an infection occurs.
Put identity in the browser.
And who says it's not an issue on the MAC and Linux besides you? Nowhere in any of the linkedarticles (Yes, I actually RTFA) does it mention that it is a Windows only bug...
That's what temporary permissions are for. I have a very small, very select list of whitelisted sites, and everything else is temporary as needed. Plus, I have all flash objects blocked until I allow them. Period. Even trusted sites get this restriction -- I don't like my browser autostarting some annoying flash clip just because the site author thought it would be cute to include their "pet spider" on their website.
Silverlight does run on Mac OS X.
It plays them now
A Stack Canary is a value placed at the end of a function's stack frame. Just before function return, the canary's value is checked, and if it has changed, the user is notified.
So what you do is built a test version of Flash with canaries enabled in the compiler, then try feeding it all kinds of potentially buffer-overruning input.
To enable canaries:
- Visual Studio for Windows: Use the
/GS option
- GCC for Mac OS X: use -fstack-protector in your "Other C Flags" option in XCode
The Xcode-Users post I linked to says that stack canaries were discussed in session 109 at Apple's developer conference, in 2007 I think. You should be able to view it on the Apple Developer Connection website.I'll send you my bill in the mail.
Request your free CD of my piano music.
SQL injects aren't a MS specific problem, they are from poor programming and design. The same SQL injection attack could happen on any OS and DB
i find swfdec to be better with youtube atm
He's absolutely right about the idea of separating the control from the data. No other well-designed architecture does things this way. Take TCP, for example, which requires you to open two TCP ports for every connection, one for control and one for data. Or Ethernet where you have to have two pairs of wires, one for control data and one for real data. Other examples where this is employed are RPC, UDP, and even the telephone system.
At first glance, it might seem like you'd need to introduce control characters into the data to differentiate the various parts of the data, in case you ever needed to put multiple fields with a single control statement (I know, it's rare, but some people _do_ need this). However, the TCP people invented an ingenious way of dealing with this by designating a special character for separating fields. All you need to do is escape it every time it occurs naturally in the stream. Then, all your problems are solved.
Well, you've still got the problem of associating the control data with the payload. They are, after all, on two different channels and could arrive at different times. That's a trivial problem, though, because you just send the control data first and wait a short time before sending the real data. Electronic signals always travel at the same speed.
Oh, we're not quite done yet. What happens if you want to embed user-entered data in the control? Well, that's easily handled, too, by moving everything except the framing sequences in the control channel into the data channel, so everything is data. I think that should work perfectly.
No, zero day exploit refers to the fact that the exploit is publicly disclosed (and in use) before there is a patch to fix it. So yes, tomorrow, this will STILL be a zero day exploit.
Modding Trolls +1 inciteful since 1999
SWF and other payload files cannot be uploaded and hosted on the compromised web server as easily as SQL-injecting a script fragment which downloads them from a 3rd party site in full control of the attacker. In this and all the recent mass-infection cases, the 3rd party hosts have been improbable domains Chinese domains likely registered ad hoc (such as wuqing17173.cn, woai117.cn or dota11.cn), and very unlikely to be in your NoScript whitelist, no matter how savage your browsing habits could be.
So in all "real world" scenarios seen so far, this one included, you are protected by NoScript in its default configuration, which blocks 3rd party embeddings even if you're visiting a trusted page.
Then if you want extra protection for the use cases you've listed (i.e. frequent usage of Flash-intensive community driven web sites), you can also configure NoScript to block ALL the embedded objects, with no regard for their origin: you will still be able to temporarily allow them selectively, by clicking on a visual placeholder.
There's a browser safer than Firefox, it is Firefox, with NoScript
ya, now you're just mumbling incoherent gibberish. So sad. Either accept that your perceived definition was wrong, or stop talking about how you don't like what it doesn't mean.
The phrase is not meaningless, there is no reason to stop using it.
Modding Trolls +1 inciteful since 1999
Just check NoScript Options|Plugins|Apply these restrictions to trusted sites too. In this configuration, NoScript effectively replaces FlashBlock, and it works on plugins different from Flash as well.
There's a browser safer than Firefox, it is Firefox, with NoScript
I just installed the newest CVS 20 minutes ago. YouTube definitely still plays. Be warned though that it currently uses a crapload of CPU, and there can be a video lag while gnash loads things. Afterwards its fine though.
Once you start despising the jerks, you become one.
I'll just install the open source alternative to Flash on my Windows desktop...
Guess this is the moment for Gnash (http://www.gnu.org/software/gnash/) to shine!
See also Symantec Threatcon here
So it looks as if you have the latest flash plugin (9.0.124) you may be ok.
Andy