Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Flash Zero-Day Attack Underway

Posted by kdawson on from the gone-in-a-flash dept.

Robellus writes "Security researchers have found evidence of a previously unknown Adobe Flash vulnerability being exploited in the wild. The zero-day flaw has been added to the Chinese version of the MPack exploit kit and there are signs that the exploits are being injected into third-party sites to redirect targets to malware-laden servers. From the article: 'Continued investigation reveals this issue is fairly widespread. Malicious code is being injected into other third-party domains (approximately 20,000 web pages) most likely through SQL-injection attacks. The code then redirects users to sites hosting malicious Flash files exploiting this issue.'"

7 of 246 comments (clear)

  1. And people by Anonymous Coward · · Score: 5, Insightful

    And people wonder why I use noscript and flashblock. When untrusted adds in flash are being served on big "trusted" websites people are eventually going to get bit.

    1. Re:And people by mrbluze · · Score: 5, Insightful

      And people wonder why I use noscript and flashblock I imagine those using the malware are not hoping that sensible people such as yourself get infected at all, but the PC's belonging to the members of the unwashed e-masses who wouldn't have the foggiest what anyone's talking about. Their computers are much better because the life of your exploit is likely to be long and chances of anyone chasing and finding you are slim.
      --
      Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
    2. Re:And people by Anonymous Coward · · Score: 5, Insightful

      Protip: Noscript will not save you.

      I am not saying it wouldn't HELP both in usability of websites and security. I use it myself, too.

      I am, however, saying that it keeps you a lot less secure than many (not specifically the person I'm responding to) seem to think.

      I have used NoScript for half a year or so (Well, a bit longer I think but half a year on this OS install, this whitelist, etc.)

      What does this mean? I have several hundreds of, possibly thousands of, whitelisted websites. I play a lot of small flash games to kill time so I have addictinggames, miniclips, arcade and a dozen other flash game sites whitelisted.

      "I know the webmaster of arcade.fi personally, a good guy, I can keep his website whitelisted, right?" Well... I also know he buys most of the games from freelance coders in india. Quite cheaply. How can I be certain that one day in one of these programs won't be a zero day exploit? I can't. So a trusted website that has always been trusted might still not be trustworthy.

      Same with many other sites. I (and I know many others of you) have also many pornsites whitelisted, how do I know one of those trusted websites with a lot of traffic won't one day have been hacked to have some exploitation code? I don't.

      NoScript won't protect me against any sites that I visit often, really.

    3. Re:And people by Opportunist · · Score: 5, Insightful

      That's pretty much it.

      It's nice for you that you don't get infected. But you don't count (not trying to be belittling you, nobody counts). What counts is numbers. And for one person who knows what he's doing when clicking a link, there's thousands who don't know the difference between browser, flash and the OS.

      And these people are a problem. They become spam relays, increasing traffic (and making spamfilters a necessity). They get ripped off by password stealing trojans, making the services they use more expensive for everyone in turn (because neither banks, nor amazon, nor ebay simply swallow the loss, they just have everyone pay a few cents more).

      And no, I have no solution for the problem. Unfortunately I'm not in the position to dictate who may use the net and who may not. Actually, the ones that do have the legal muscle to dictate it want those "unwashed masses" rather than people who know how to use their computers. The former group tends to buy. The latter tends to know how to do it themselves.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. Flash perpetual vulnerability by amrik98 · · Score: 5, Insightful

    This isn't the first or the last time Flash will have vulnerabilities discovered, and I understand this can happen with any software. It is just the frequency and consistency of these vulnerabilities that concerns me. When I install a binary blob from Adobe its always in the back of my mind that I could be opening up my system to attack.

  3. Welcome to the proprietary internet. by NotZed · · Score: 5, Insightful

    A taste of what it could've been and what it might yet become?

    --
    _ // `Thinking is an exercise to which all too few brains
    \\/ are accustomed' - First Lensman
  4. Re:SNAFU by Divebus · · Score: 5, Insightful

    How exactly is it the worst company ever to supply software for the web. Here's my short list:

    1) Adobe Reader takes too long to launch compared to other software. People moan when they encounter a PDF on the web.
    2) Flash (yes, they own it now) is a resource hog when visiting web sites with only a few ads. Enough already.
    3) If you have the Adobe CS3 suites, you'll come to HATE the update agent... slow, intrusive, frequent.
    4) I'm always removing the Adobe reader Plugin from my browser after a CS3 upgrade. I don't want the damned thing in there.
    5) Right click a banner ad and look at Settings. I don't like my camera and microphone being a choice there.

    I wouldn't call it the WORST company... Adobe didn't make IE. That said, I get a lot of good use out of Adobe products, but sheesh... it can be the most sluggish stuff you'll ever use.

    --

    Most of the stuff on /. won't survive first contact with facts.