Unpatched Critical Flash Player Vulnerability Possibly Exploited in the Wild

[tipo]

According to the preliminary findings of some security researchers, a new zero-day vulnerability in Adobe Flash Player might be exploited in the wild to infect users with a trojan.

The alert comes from independent security researcher Mila Parkour, who maintains the Contagio Malware Dump blog. Ms. Parkour was also credited back in September with reporting an actively exploited Adobe Reader zero-day vulnerability.

The researcher posted a screenshot of the new attack in action and it looks like the unpatched Flash Player vulnerability is exploited via malicious SWF content embedded in a .pdf document.

Successful exploitation results in two files called nsunday.exe and nsunday.dll being dropped and executed on the system.

According to a ThreatExpert analysis, these files are components of a Wisp trojan variant. Wisp is a relatively new trojan discovered back in March and is capable of stealing information, as well as downloading and executing malicious files.

A VirusTotal scan of the executable, reveals that 15 antivirus engines detect it as malicious, mostly via generic signatures.

It seems like the people behind this threat are used with exploiting zero-day vulnerabilities. Wisp.A was originally distributed via drive-by download attacks targeting an unpatched flaw (CVE-2010-0806) in Internet Explorer.

Adobe's Product Security Incident Response Team has been notified of the suspected Flash Player vulnerability, but it has yet to test and confirm it.

This is very bad news. If the new zero-day is confirmed - and there is a strong possibility that it will - people might be exposed to attacks for weeks.

Even if Adobe quickly rolls out a patch for Flash Player, the vulnerability will remain exploitable through Adobe Reader, which has its own embedded Flash interpreter.

Adobe Reader and Acrobat follow an uniform quarterly update cycle and the next update is a long long time away, being scheduled for February 8, 2011.

The company has broken out of this cycle on multiple occasions to fix zero-day vulnerabilities, but due to their corporate adoption, Adobe Reader and Acrobat releases require thorough testing that takes a lot of time.

Until this is sorted out, it might be sensible for users to disable Flash support in Adobe Reader, especially if they don't need it. This can be done by renaming the "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll" file.

LINK

[DKT27]

Adobe under attack: New PDF, Flash zero-day

Adobe's security response team is scrambling to respond to new zero-day attacks against a computer hijack vulnerability in two of its most widely deployed products: Flash Player and Adobe PDF Reader. The flaw, which is currently being exploited in the wild with booby-trapped PDF documents, affects Windows, Mac, Linux and Solaris users. The zero-day attacks are currently targeted Windows users.

Here's a summary of the problem:

A critical vulnerability has been identified in Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh. This vulnerability (CVE-2010-3654) could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe has posted an advisory that notes that the attacks are only against Adobe Reader and Acrobat. The company said it was not aware of attacks targeting the ubiquitous Flash Player.

Temporary mitigations

In the interim, the company suggests that affected users delete, rename or remove access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x.

This mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains Flash (SWF) content.

The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.

Adobe Reader 9.x - Macintosh

1) Go to the Applications->Adobe Reader 9 folder.

2) Right Click on Adobe Reader.

3) Select Show Package Contents.

4) Go to the Contents->Frameworks folder.

5) Delete or move the AuthPlayLib.bundle file.

Acrobat Pro 9.x - Macintosh

1) Go to the Applications->Adobe Acrobat 9 Pro folder.

2) Right Click on Adobe Acrobat Pro.

3) Select Show Package Contents.

4) Go to the Contents->Frameworks folder.

5) Delete or move the AuthPlayLib.bundle file.

Adobe Reader 9.x - UNIX

1) Go to installation location of Reader (typically a folder named Adobe).

2) Within it browse to Reader9/Reader/intellinux/lib/ (for Linux) or Reader9/Reader/intelsolaris/lib/ (for Solaris).

3) Remove the library named "libauthplay.so.0.0.0."

Adobe said it expects to have a patch for Flash Player by November 9, 2010 and update for Adobe Reader and Acrobat 9.x during the week of November 15, 2010.

View: Original Article

[CODYQX4]

Ugh, yet another massive Adobe update Patch Tuesday (typical). Is this the 1000th exploit this year?

[DKT27]

Ugh, yet another massive Adobe update Patch Tuesday (typical). Is this the 1000th exploit this year?

Somewhere near that I guess. They would have announced if they reached that honorable number. :P