Adobe Flash Zero-Day Attack Underway

← Back to Stories (view on slashdot.org)

Adobe Flash Zero-Day Attack Underway

Posted by kdawson on Tuesday May 27, 2008 @07:26PM from the gone-in-a-flash dept.

Robellus writes "Security researchers have found evidence of a previously unknown Adobe Flash vulnerability being exploited in the wild. The zero-day flaw has been added to the Chinese version of the MPack exploit kit and there are signs that the exploits are being injected into third-party sites to redirect targets to malware-laden servers. From the article: 'Continued investigation reveals this issue is fairly widespread. Malicious code is being injected into other third-party domains (approximately 20,000 web pages) most likely through SQL-injection attacks. The code then redirects users to sites hosting malicious Flash files exploiting this issue.'"

26 of 246 comments (clear)

Min score:

Reason:

Sort:

And people by Anonymous Coward · 2008-05-27 19:28 · Score: 5, Insightful

And people wonder why I use noscript and flashblock. When untrusted adds in flash are being served on big "trusted" websites people are eventually going to get bit.
1. Re:And people by mrbluze · 2008-05-27 19:34 · Score: 5, Insightful
  
  And people wonder why I use noscript and flashblock I imagine those using the malware are not hoping that sensible people such as yourself get infected at all, but the PC's belonging to the members of the unwashed e-masses who wouldn't have the foggiest what anyone's talking about. Their computers are much better because the life of your exploit is likely to be long and chances of anyone chasing and finding you are slim.
  
  --
  Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
2. Re:And people by Anonymous Coward · 2008-05-27 19:46 · Score: 5, Insightful
  
  Protip: Noscript will not save you.
  
  I am not saying it wouldn't HELP both in usability of websites and security. I use it myself, too.
  
  I am, however, saying that it keeps you a lot less secure than many (not specifically the person I'm responding to) seem to think.
  
  I have used NoScript for half a year or so (Well, a bit longer I think but half a year on this OS install, this whitelist, etc.)
  
  What does this mean? I have several hundreds of, possibly thousands of, whitelisted websites. I play a lot of small flash games to kill time so I have addictinggames, miniclips, arcade and a dozen other flash game sites whitelisted.
  
  "I know the webmaster of arcade.fi personally, a good guy, I can keep his website whitelisted, right?" Well... I also know he buys most of the games from freelance coders in india. Quite cheaply. How can I be certain that one day in one of these programs won't be a zero day exploit? I can't. So a trusted website that has always been trusted might still not be trustworthy.
  
  Same with many other sites. I (and I know many others of you) have also many pornsites whitelisted, how do I know one of those trusted websites with a lot of traffic won't one day have been hacked to have some exploitation code? I don't.
  
  NoScript won't protect me against any sites that I visit often, really.
3. Re:And people by Daengbo · 2008-05-27 20:00 · Score: 5, Informative
  
  That's why you should be using Gnash. Monoculture (all Flash being played by Adobe Flash player) is a bad thing when an infection occurs.
  
  --
  Put identity in the browser.
4. Re:And people by Opportunist · 2008-05-27 20:15 · Score: 5, Insightful
  
  That's pretty much it.
  
  It's nice for you that you don't get infected. But you don't count (not trying to be belittling you, nobody counts). What counts is numbers. And for one person who knows what he's doing when clicking a link, there's thousands who don't know the difference between browser, flash and the OS.
  
  And these people are a problem. They become spam relays, increasing traffic (and making spamfilters a necessity). They get ripped off by password stealing trojans, making the services they use more expensive for everyone in turn (because neither banks, nor amazon, nor ebay simply swallow the loss, they just have everyone pay a few cents more).
  
  And no, I have no solution for the problem. Unfortunately I'm not in the position to dictate who may use the net and who may not. Actually, the ones that do have the legal muscle to dictate it want those "unwashed masses" rather than people who know how to use their computers. The former group tends to buy. The latter tends to know how to do it themselves.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
5. Re:And people by NoobixCube · 2008-05-27 20:41 · Score: 4, Funny
  
  An example of the knowledge of the masses: When I commented to my mother that I spent the day watching flash cartoons, she thought I meant animated porn.
  
  --
  Admit it. You post strawman arguments as AC so you get modded Insightful for refuting them, rather than Troll
6. Re:And people by Anonymous Coward · 2008-05-27 20:44 · Score: 5, Informative
  
  It plays them now
7. Re:And people by Spad · 2008-05-27 20:54 · Score: 5, Funny
  
  Lucky guess?
8. Re:And people by obi · 2008-05-27 21:11 · Score: 4, Insightful
  
  It's not as if there never have been any exploits for the JPG or PNG decoders in common browsers. Will you now browse the web with images blocked too?
9. Re:And people by pizzach · 2008-05-27 21:47 · Score: 4, Interesting
  
  Even if the current version in your distribution's repositories is not able to play YouTube videos, the cvs version at least can. I remember reading somewhere that getting and keeping YouTube movies playable was a top priority.
  
  --
  Once you start despising the jerks, you become one.
10. Re:And people by NoobixCube · 2008-05-27 22:10 · Score: 5, Funny
  
  That's completely beside the point :P
  
  --
  Admit it. You post strawman arguments as AC so you get modded Insightful for refuting them, rather than Troll
11. Re:And people by CaptnMArk · 2008-05-27 23:41 · Score: 4, Insightful
  
  My guess, CVS was available sooner.
  
  Also, for a developer who only does update/work/diff/commit, CVS (and SVN) is easier
  to use than git.
12. Re:And people by aliquis · 2008-05-28 00:03 · Score: 4, Interesting
  
  If only that video-in-webpages-standard was implemented (is in Safari now) and used it would be so sweet to just remove that flashcrap alltogether. Too bad on webpages made only in flash but well, those suck anyway =P
13. Re:And people by TheGratefulNet · 2008-05-28 01:26 · Score: 4, Insightful
  
  Well, using ad-blockers like this is considered to be taboo behavior in most of forum communities.
  
  I'm quite active in a lot of forums and while some webmeisters might bitch about it, they have every right to write piss poor web code (including intrusive banners) and I have every right NOT to see such crap when I browse.
  
  do you believe it when TV shows make you feel like you are 'stealing' if you don't watch the ads between the show segments?
  
  how is blocking ads any diff?
  
  why would you just 'give in' to some stupid webmaster? he has his views but its not the full story. and if he goes away due to 'lack of profit motive' another (maybe better) will come along. dime a dozen.
  
  I don't 'protect' webmasters. they are not any better than users and don't deserve any more consideration than they give users (which tends to be on the low end of the respect stick).
  
  --
  
  --
  "It is now safe to switch off your computer."
SNAFU by Anonymous Coward · 2008-05-27 19:31 · Score: 4, Funny

Situation Normal, All Flashed Up
1. Re:SNAFU by Divebus · 2008-05-27 21:11 · Score: 5, Insightful
  
  How exactly is it the worst company ever to supply software for the web. Here's my short list:
  
  1) Adobe Reader takes too long to launch compared to other software. People moan when they encounter a PDF on the web.
  2) Flash (yes, they own it now) is a resource hog when visiting web sites with only a few ads. Enough already.
  3) If you have the Adobe CS3 suites, you'll come to HATE the update agent... slow, intrusive, frequent.
  4) I'm always removing the Adobe reader Plugin from my browser after a CS3 upgrade. I don't want the damned thing in there.
  5) Right click a banner ad and look at Settings. I don't like my camera and microphone being a choice there.
  
  I wouldn't call it the WORST company... Adobe didn't make IE. That said, I get a lot of good use out of Adobe products, but sheesh... it can be the most sluggish stuff you'll ever use.
  
  --
  
  Most of the stuff on /. won't survive first contact with facts.
2. Re:SNAFU by gaspyy · 2008-05-27 23:33 · Score: 4, Interesting
  
  Intentionally or not - you're trolling.
  
  1. Adobe Reader 8 launches almost instantly for me after the first run, when it optimizes its launch (and I always disable the startup option). Version 6 was awful but things have changed. I do agree that it's bloated (over 200Mb) but I had problems displaying complex/cmyk docs in Foxit. YMMV.
  
  2. Flash - use AdBlock. The technology is not at fault as flash is pretty lightweight itself. It's the advertisers who think I'll click their stupid ads if they add annoying sounds and the webmasters who think that by cramming more ads there's a better chance of me clicking on one.
  
  3. The update agent is slow 'cause it downloads only when the connection is idle. I do agree that it's annoying for it to ask to close almost all programs when updating.
  
  5. You do realize that camera and mic are turned off by default, don't you? You need to expressly enable them on a site-by-site basis.
  
  So there you have it.
  
  That's not to say that I don't hate Adobe myself for other things:
  - activation is a pain in the ass, especially if you don't get the chance to deactivate the software first from the old computer and activate on the new one (happened to me after a hdd crash).
  - the software is artificially segmented in some cases, e.g. Premiere and After Effects should be one software, or Illustrator and Indesign (CorelDraw acts as a combination between the two).
Flash perpetual vulnerability by amrik98 · 2008-05-27 19:37 · Score: 5, Insightful

This isn't the first or the last time Flash will have vulnerabilities discovered, and I understand this can happen with any software. It is just the frequency and consistency of these vulnerabilities that concerns me. When I install a binary blob from Adobe its always in the back of my mind that I could be opening up my system to attack.
Welcome to the proprietary internet. by NotZed · 2008-05-27 19:51 · Score: 5, Insightful

A taste of what it could've been and what it might yet become?

--
_ // `Thinking is an exercise to which all too few brains
\\/ are accustomed' - First Lensman
Oh... dear... God by religious+freak · 2008-05-27 19:52 · Score: 5, Funny

What kind of horrible, horrible update scheme will Adobe come up with to try to combat this?! The thoughts are too terrible to imagine...

--
If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
Re:Hmm Windows only... and SQL injection? by Hal_Porter · 2008-05-27 20:16 · Score: 4, Funny

It's Windows only because Microsoft wrote it to promote their Silverlight initiative. Siverlight doesn't work on Macs or Linux, so there's no point porting the exploit there.

--
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Why is SQL injection even still a problem? by MichaelCrawford · 2008-05-27 20:37 · Score: 4, Insightful

And I'm not saying the web application developers need to prevent it: it needs to be fixed in the database and its communication protocols. I think it's quite an outrageously bad architecture that has payload and control data together on the same channel.
After all, it's my God-Given Right to name my son Robert'; DROP TABLE STUDENTS. I shouldn't be getting nasty phone calls from every school he's ever attended!

--
Request your free CD of my piano music.
Hey Adobe: Try Using Stack Canaries! by MichaelCrawford · 2008-05-27 20:46 · Score: 5, Informative
No doubt someone from Adobe will be reading this Slashdot story.
A Stack Canary is a value placed at the end of a function's stack frame. Just before function return, the canary's value is checked, and if it has changed, the user is notified.
So what you do is built a test version of Flash with canaries enabled in the compiler, then try feeding it all kinds of potentially buffer-overruning input.
To enable canaries:
- Visual Studio for Windows: Use the /GS option
- GCC for Mac OS X: use -fstack-protector in your "Other C Flags" option in XCode
The Xcode-Users post I linked to says that stack canaries were discussed in session 109 at Apple's developer conference, in 2007 I think. You should be able to view it on the Apple Developer Connection website.
I'll send you my bill in the mail.
--
Request your free CD of my piano music.
Re:This is NOT a 'zero day flaw'..... by shird · 2008-05-27 21:30 · Score: 4, Insightful

That is not the definition of zero day. If you are going to condemn people for using it incorrectly, at least use it correctly yourself. The 'zero day' status merely refers to how long the exploit has been known - the 'zeroth' day being the day it is publicly disclosed. This day is important due to the fact it is basically impossible for people to be patched against the vulnerability on this day. In other words, tomorrow this will no longer be a 'zero day exploit'. (no doubt it was disclosed several days ago and isn't a zero day exploit today either).

--
I.O.U One Sig.
Flash dependent sites by Mathinker · 2008-05-27 22:11 · Score: 5, Interesting

> That's what temporary permissions are for.

Yes, I use them all the time, but what does that really mean? After I temporarily enable Flash/JS malware for a badly designed site which is just not viewable without them, I'm not going to get temporarily "pwned". It's already "game over".

Except for times like this, if the choice is enabling JS/Flash, or not getting information I was interested in, my thirst for information wins, all other things being equal (i.e., the URL looks like a legitimate one, etc.)

I never enable JS or Flash in order to see sites which I get to through advertisements, however.
NoScript WILL Save You (most of the time) by Giorgio+Maone · 2008-05-27 23:12 · Score: 4, Informative

SWF and other payload files cannot be uploaded and hosted on the compromised web server as easily as SQL-injecting a script fragment which downloads them from a 3rd party site in full control of the attacker. In this and all the recent mass-infection cases, the 3rd party hosts have been improbable domains Chinese domains likely registered ad hoc (such as wuqing17173.cn, woai117.cn or dota11.cn), and very unlikely to be in your NoScript whitelist, no matter how savage your browsing habits could be.

So in all "real world" scenarios seen so far, this one included, you are protected by NoScript in its default configuration, which blocks 3rd party embeddings even if you're visiting a trusted page.

Then if you want extra protection for the use cases you've listed (i.e. frequent usage of Flash-intensive community driven web sites), you can also configure NoScript to block ALL the embedded objects, with no regard for their origin: you will still be able to temporarily allow them selectively, by clicking on a visual placeholder.

--
There's a browser safer than Firefox, it is Firefox, with NoScript