Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Flash Zero-Day Attack Underway

Posted by kdawson on from the gone-in-a-flash dept.

Robellus writes "Security researchers have found evidence of a previously unknown Adobe Flash vulnerability being exploited in the wild. The zero-day flaw has been added to the Chinese version of the MPack exploit kit and there are signs that the exploits are being injected into third-party sites to redirect targets to malware-laden servers. From the article: 'Continued investigation reveals this issue is fairly widespread. Malicious code is being injected into other third-party domains (approximately 20,000 web pages) most likely through SQL-injection attacks. The code then redirects users to sites hosting malicious Flash files exploiting this issue.'"

14 of 246 comments (clear)

  1. Re:And people by Daengbo · · Score: 5, Informative

    That's why you should be using Gnash. Monoculture (all Flash being played by Adobe Flash player) is a bad thing when an infection occurs.

    --
    Put identity in the browser.
  2. Re:And people by Anonymous Coward · · Score: 2, Informative

    That's what temporary permissions are for. I have a very small, very select list of whitelisted sites, and everything else is temporary as needed. Plus, I have all flash objects blocked until I allow them. Period. Even trusted sites get this restriction -- I don't like my browser autostarting some annoying flash clip just because the site author thought it would be cute to include their "pet spider" on their website.

  3. Re:Hmm Windows only... and SQL injection? by Anonymous Coward · · Score: 2, Informative

    Silverlight does run on Mac OS X.

  4. Re:And people by Anonymous Coward · · Score: 5, Informative

    It plays them now

  5. Hey Adobe: Try Using Stack Canaries! by MichaelCrawford · · Score: 5, Informative
    No doubt someone from Adobe will be reading this Slashdot story.

    A Stack Canary is a value placed at the end of a function's stack frame. Just before function return, the canary's value is checked, and if it has changed, the user is notified.

    So what you do is built a test version of Flash with canaries enabled in the compiler, then try feeding it all kinds of potentially buffer-overruning input.

    To enable canaries:

    The Xcode-Users post I linked to says that stack canaries were discussed in session 109 at Apple's developer conference, in 2007 I think. You should be able to view it on the Apple Developer Connection website.

    I'll send you my bill in the mail.

    --
    Request your free CD of my piano music.
  6. Re:Hmm Windows only... and SQL injection? by linal · · Score: 2, Informative

    SQL injects aren't a MS specific problem, they are from poor programming and design. The same SQL injection attack could happen on any OS and DB

  7. Re:And people by Anonymous Coward · · Score: 3, Informative

    i find swfdec to be better with youtube atm

  8. Re:This is NOT a 'zero day flaw'..... by Gewalt · · Score: 2, Informative

    No, zero day exploit refers to the fact that the exploit is publicly disclosed (and in use) before there is a patch to fix it. So yes, tomorrow, this will STILL be a zero day exploit.

    --
    Modding Trolls +1 inciteful since 1999
  9. NoScript WILL Save You (most of the time) by Giorgio+Maone · · Score: 4, Informative

    SWF and other payload files cannot be uploaded and hosted on the compromised web server as easily as SQL-injecting a script fragment which downloads them from a 3rd party site in full control of the attacker. In this and all the recent mass-infection cases, the 3rd party hosts have been improbable domains Chinese domains likely registered ad hoc (such as wuqing17173.cn, woai117.cn or dota11.cn), and very unlikely to be in your NoScript whitelist, no matter how savage your browsing habits could be.

    So in all "real world" scenarios seen so far, this one included, you are protected by NoScript in its default configuration, which blocks 3rd party embeddings even if you're visiting a trusted page.

    Then if you want extra protection for the use cases you've listed (i.e. frequent usage of Flash-intensive community driven web sites), you can also configure NoScript to block ALL the embedded objects, with no regard for their origin: you will still be able to temporarily allow them selectively, by clicking on a visual placeholder.

    --
    There's a browser safer than Firefox, it is Firefox, with NoScript
  10. Re:This is NOT a 'zero day flaw'..... by Gewalt · · Score: 2, Informative

    ya, now you're just mumbling incoherent gibberish. So sad. Either accept that your perceived definition was wrong, or stop talking about how you don't like what it doesn't mean.

    The phrase is not meaningless, there is no reason to stop using it.

    --
    Modding Trolls +1 inciteful since 1999
  11. NoScript can block Flash even if JS is enabled by Giorgio+Maone · · Score: 2, Informative

    Just check NoScript Options|Plugins|Apply these restrictions to trusted sites too. In this configuration, NoScript effectively replaces FlashBlock, and it works on plugins different from Flash as well.

    --
    There's a browser safer than Firefox, it is Firefox, with NoScript
  12. Re:And people by pizzach · · Score: 2, Informative

    I just installed the newest CVS 20 minutes ago. YouTube definitely still plays. Be warned though that it currently uses a crapload of CPU, and there can be a video lag while gnash loads things. Afterwards its fine though.

    --
    Once you start despising the jerks, you become one.
  13. No worries by __aavonx8281 · · Score: 2, Informative

    I'll just install the open source alternative to Flash on my Windows desktop...

    Guess this is the moment for Gnash (http://www.gnu.org/software/gnash/) to shine!

  14. Updated info re this sploit... by Fallen+Andy · · Score: 3, Informative
    ShadowServer has updated information on this here.

    See also Symantec Threatcon here

    So it looks as if you have the latest flash plugin (9.0.124) you may be ok.

    Andy