Alert (TA08-149A)

Systems Affected

• Adobe Flash Player

Overview

A vulnerability that affects Adobe Flash Player 9 is being actively exploited to install malicious software.

Description

A vulnerability in Flash Player 9 is being actively exploited. The latest version of Flash Player (9.0.124.0) appears to correct the vulnerability. Analysis indicates that this vulnerability is the same as or similar to the one described in Application Specific Attacks: Leveraging the ActionScript Virtual Machine by Mark Dowd. The vulnerability depends on ActionScript 3.0 which was introduced in Flash Player 9, so previous versions do not appear to be affected.

To exploit this vulnerability, an attacker could cause a victim to open specially crafted Flash content. Public incident reports (SANS ISC, Symantec ThreatCon) indicate that this and possibly other Flash vulnerabilities are being actively exploited. Attacks likely involve multiple web sites, specially crafted Flash content, and obfuscated JavaScript to cause a victim to browse to a site that uses the vulnerability to install malicious software. Attackers may compromise otherwise trusted web sites using SQL injection or cross-site scripting vulnerabilities to inject JavaScript that directs visitors to malicious Flash content.

The vulnerability (or vulnerabilities) being used in these attacks are described in US-CERT Vulnerability Notes VU#395473 and VU#159523. A post on the Adobe Product Security Incident Response Team (PSIRT) blog states that the exploit "...appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 9.0.124.0 (CVE-2007-0071)."

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code. Various sources report that attackers are exploiting this vulnerability to install malicious software.

Solution

Upgrade

Upgrade to Flash Player 9.0.124.0 or later. The installation process for Flash Player differs based on web browser platform. Take care to upgrade Flash Player in all supported web browsers.

• Microsoft Windows users should upgrade the Flash ActiveX control by visiting the Adobe Flash Player Download Center using Internet Explorer (IE). This is necessary even if IE is not the primary browser, since other programs may use IE to view Flash content. Alternately, download the stand-alone installer for the Flash Player ActiveX control.
• Users with other web browsers and operating systems should visit the Adobe Flash Player Download Center using each browser that supports Flash. Alternately, download the stand-alone installer for the Flash Player Netscape-style plug-in.

To check the version of Flash Player, visit the Version test for Adobe Flash Player using each web browser that supports Flash.

Block Flash Content

To partially mitigate this and other Flash vulnerabilities, configure web browsers to block Flash content. Securing Your Web Browser provides instructions to disable Flash and more generally ActiveX, plug-ins, and script for untrusted web sites. The NoScript and Flashblock add-ons can block Flash content in Firefox and other Mozilla-based browsers.

References

• Securing Your Web Browser - http://www.us-cert.gov/reading_room/securing_browser/
• Vulnerability Note VU#395473 - http://www.kb.cert.org/vuls/id/395473
• Vulnerability Note VU#159523 - http://www.kb.cert.org/vuls/id/159523
• Adobe PSIRT Potential Flash Player Issue - update - http://blogs.adobe.com/psirt/2008/05/potential_flash_player_issue_u_1.html
• Adobe Flash Player Download Center - http://www.adobe.com/go/getflash
• Version test for Adobe Flash Player - http://www.adobe.com/go/tn_15507
• Adobe Security Advisory APSB08-011 - http://www.adobe.com/support/security/bulletins/apsb08-11.html
• Flash Player ActiveX stand-alone installer - http://www.adobe.com/go/full_flashplayer_win_ie
• Flash Player Netscape-style plug-in stand-alone installer - http://www.adobe.com/go/full_flashplayer_win
• ActionScript 3.0 overview - http://www.adobe.com/devnet/actionscript/articles/actionscript3_overview.html
• SANS ISC - Malicious SWF files? - http://isc.sans.org/diary.html?storyid=4468
• Symantec ThreatCon - http://www.symantec.com/security_response/threatconlearn.jsp
• NoScript - https://addons.mozilla.org/addon/722
• Flashblock - https://addons.mozilla.org/addon/433
• Application Specific Attacks: Leveraging the ActionScript Virtual Machine - http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf

Revision History

• May 28 2008: Initial release
  

Was this document helpful?  Yes  |   Somewhat  |   No