The exploit can also come embedded into PDF documentsAdobe has confirmed a critical vulnerability affecting the latest version of its Flash Player product, after reports of it being exploited in the wild surfaced. The zero-day flaw can be exploited by tricking users into viewing a maliciously crafted .swf file or opening PDF documents with malicious Flash streams embedded.
Multiple security companies reported yesterday that a previously unknown Flash vulnerability was being actively exploited to infect computers with malware. These attacks are currently limited in number, but they are expected to increase as soon as more details about the flaw are made public.
The bug affects even the latest version of Flash Player and can facilitate drive-by downloads when visiting malicious or compromised websites, with a malicious SWF file embedded. The SANS Internet Storm Center (ISC) confirms that the exploit works in Internet Explorer, however a different shellcode version targeting Firefox is also rumored to be in circulation. "At the moment there is a low number of malicious sites serving the exploit, but we confirmed that the links have been injected in legitimate websites to create a drive-by attack, as expected," ISC's Bojan Zdrnja writes.
Meanwhile, security researchers from Symantec and iDefense warn of exploit code for this flaw being embedded into malformed PDF documents. "In this exploitation the PDF exploiting the vulnerability includes multiple Flash streams (FWS). One of these is used to dynamically create the shellcode and uses a heap spray technique to increase the chances of success of the exploit," Patrick Fitzgerald, senior security response manager at Symantec, explains.
If exploitation is successful, a Trojan installer is dropped on the computer. The file will immediately be executed under Windows XP, however it will fail on Windows Vista with User Account Control (UAC) enabled. Antivirus detection for the malicious PDF documents and SWF file, as well as the dropped malware is still very low, according to scans on VirusTotal.
Adobe has released a security advisory saying that a patch for Flash Player on Windows, Mac and Linux is expected until July 30. An update for Adobe Reader and Acrobat is also planned to be released by July 31, as this vulnerability also affects the authplay.dll component included in those products. According to a bug tracker entry, the vulnerability has apparently been known by Adobe since 31 December 2008.
The company notes that deleting, renaming, or removing access to authplay.dll will mitigate the PDF attack vector. Meanwhile, Firefox users can employ the NoScript extension, which blocks flash movies by default, to protect themselves. However, the only advice to Internet Explorer users is to exercise extra caution when browsing untrusted websites and to keep antivirus definitions up-to-date.