MA-132.052008: MyCERT Special Alert - Vulnerabilities in Adobe Flash Player Original Issue Date: 30 May 2008 1.0 Introduction MyCERT has been observing an Adobe Flash Player SWF Vulnerability[1] being actively exploited in the wild. An attacker can exploit this situation by enticing an unsuspecting victim to open a 'SWF' file, and execute arbitrary code in the context of the affected application. The flash player is normally used with a browser such as Mozilla Firefox, Internet Explorer. 2.0 Vulnerability description The vulnerability, if successfully exploited, allows an attacker toexecute arbitrary code and enable remote-code exploitation when unspecified input validation is done on vulnerable Adobe Flash versions. Based on our analysis the exploit can be executed when running a crafted SWF file which could also benamed as other file type to masquerade the real file type that may be sent via email or by tricking victim to visit websites that have the malicious code embedded. 3.0 Software affected Affected software are as follows: Other operating system have listedsome Flash Player in their products were affected. The affected applications are listed at http://www.securityfocus.com/bid/28695 4.0 Technical Details The methodology used by attackers are to get users to open the specially crafted SWF file is by inserting html scripts in compromised websites that will redirect the victims to servers hosting a malicious javascript. MyCERT has determined that the javascript is able to detect the type of the browser used by the victim. Upon determination, it will redirect user to specific URL that concur to the version of the browser. The URL contains the SWF file that will then detect the version of Flash Player and will execute the exploit based on the Flash Player version
Another method usedin this attack is bythrough an SWF file that redirects user to the malicious sites instead of javascript as in the above example. In some cases, attackers also masquerade malicious file by renaming it to other file types or compress the file. As of now, there are more than 30 domains that have been identified as exploit-hosting websites. The numbers might be increasing in time. In addition, the number of sites compromised with html scripts that redirects user to the malicious sites are increasing as well. MyCERT has covered this issue in our previous advisory[2] Most of malicious file involved in the exploit are detectable by major AntiVirus software. Files come in several naming format, namely .swf, .dat, and .css. 5.0 Solutions and workaround Upgrade to AdobeFlash Player version 9.0.124.0. It can be downloaded from this URL :
http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash
If user is not able to upgrade the Adobe Flash Player, it is advisable to do the followings:
For Firefox user, please use script-disabling plug-ins (NoScript) to prevent malicious scripts from being loaded.
For Internet Explorer user, set the "killbit", the CLSIDto BD96C556-65A3-11D0-983A-00C04FC29E36 to disable Flash from being opened in browser. For details onhow to configure it, please refer: http://support.microsoft.com/kb/240797
Browse the Internet with least privilege to limit the execution of the malicious file.
Do not open attachment and/or browse to unknown website received via email from unknown person or unexpected.
Include only whitelist sites for the use of the plug-ins
Reference http://www.adobe.com/support/security/bulletins/apsb08-11.html isc.sans.org/diary.html?storyid=4465 http://www.securityfocus.com/bid/29386/info http://www.uscert.gov/current/index.html#adobe_flash_player_vulnerability
|
