Exploit In-the-Wild: Patch Your Flash Player Now
If you have not yet applied the patch that Adobe released last month to plug security holes in its Flash Player, do not procrastinate further: Security experts warn that a growing number of Web sites are using Flash vulnerabilities to install password-stealing software when users visit them with unpatched Web browsers.
It's not entirely clear whether the attackers are taking advantage of a brand new flaw, or one that Adobe already fixed.
Symantec, McAfee, the SANS Internet Storm Center and some independent researchers raised the alarm on Tuesday, indicating that hackers were exploiting a previously undocumented and unpatched flaw in Flash.
Further analysis of the sites distributing the malicious code suggests that the attack does not work against the latest version of Flash for either Internet Explorer or Firefox. So, users with the latest version of Flash should be protected from this attack.
Symantec's initial writeup clashed with the conclusions I heard about Tuesday afternoon from researchers at Reston, Va., based iDefense. Matt Richard, director of rapid response for iDefense, told me the exploit appears to mimic a method written about in a white paper published last month by Mark Dowd, a researcher at IBM's Internet Security Systems.
Symantec updated its initial advisory late Tuesday evening, to confirm that the bad guys indeed appear to have adopted the technique Dowd described. But Symantec says it is still working with Adobe to identify the precise details, "due to the fact that we have observed the malicious files affecting patched versions of Flash, suggesting it may be a variant or incorrectly patched."
Richard said it looks like attackers first started exploiting this Flash flaw as early as May 24, and that the number of Web sites (both malicious and hacked) hosting or pointing to sites hosting the code is multiplying quickly.
A spokesperson for Adobe declined to comment for this story, except to say the company was working with Symantec to investigate the vulnerability and that Adobe would likely have more details to share later today. I'll update this post in the event they release anything substantive.
For now, even if you think you already patched your browser with the latest Flash update -- it's a good idea to go ahead and double check that all of your browsers are up-to-date. Installing Flash on Internet Explorer is a separate process than installing it on Firefox and Opera, so just because you installed it for Opera or Firefox doesn't mean you've installed it for IE as well, and vice-versa.
To check your version, visit Adobe's "About Flash" page with all browsers you use regularly to make sure the version number says you are running Flash Version 220.127.116.11.
If you are running a version of Flash that is anything less than 18.104.22.168 (i.e., a lower version number, such as 22.214.171.124 or 126.96.36.199), I would strongly advise you to update it now. Visit this link with whichever browser is outdated, and it should present you with the latest version to install for that browser type.
Of course, the "noscript" add-on for Firefox can give users of that browser greater control over which sites should be allowed to serve Flash by default.
Update, May 28, 12:56 p.m. ET The SANS Internet Storm Center updated its advisory on this attack today, saying the exploits found in the wild do not appear to attack a new vulnerability. A Storm Center incident handler I chatted with confirmed that none of the exploits spotted so far work against the latest, patched version of Flash, version 188.8.131.52.
Update, May 28, 2:26 p.m. ET: Adobe just released a statement clarifying, as Security Fix has already noted, that this attack is not exploiting a new vulnerability. From their statement: "This exploit does NOT appear to include a new, unpatched vulnerability as has been reported elsewhere - customers with Flash Player 184.108.40.206 should not be vulnerable to this exploit. We're still looking in to the exploit files, and will update everyone with further information as we get it, but for now, we strongly encourage everyone to download and install the latest Flash Player update, 220.127.116.11."
I also spoke with Ben Greenbaum, senior research manager for Symantec Security Response. Greenbaum said the confusion about whether this was a new attack stemmed from the fact that the exploits did in fact work against the stand-alone version of Flash Player, an application that isn't anywhere near as widely deployed as the browser plug-in version of Flash. Greenbaum said the latest stand-alone version of Flash is protected against this attack, but the latest stand-alone version made for software developers (the one with debugging built-in) is vulnerable. In addition, he said, all Linux versions of the stand-alone Flash player are susceptible to this attack (although not the viral payload that it currently delivers). He added that it is highly unlikely that the average Windows user has anything but the browser plug-in versions of Flash installed.
Posted by: Larry Seltzer | May 28, 2008 7:42 AM | Report abuse
Posted by: Bartolo | May 28, 2008 7:53 AM | Report abuse
Posted by: Giorgio Maone | May 28, 2008 8:21 AM | Report abuse
Posted by: Bk | May 28, 2008 8:26 AM | Report abuse
Posted by: Bk | May 28, 2008 8:30 AM | Report abuse
Posted by: Bk | May 28, 2008 8:32 AM | Report abuse
Posted by: Heron | May 28, 2008 9:12 AM | Report abuse
Posted by: John | May 28, 2008 9:16 AM | Report abuse
Posted by: Bk | May 28, 2008 9:24 AM | Report abuse
Posted by: Heron | May 28, 2008 9:24 AM | Report abuse
Posted by: JohnJ | May 28, 2008 9:33 AM | Report abuse
Posted by: C.B. | May 28, 2008 9:51 AM | Report abuse
Posted by: Fred Dunn | May 28, 2008 10:50 AM | Report abuse
Posted by: Bartolo | May 28, 2008 11:17 AM | Report abuse
Posted by: Bk | May 28, 2008 12:27 PM | Report abuse
Posted by: Heron | May 28, 2008 1:19 PM | Report abuse
Posted by: Bartolo | May 28, 2008 2:34 PM | Report abuse
Posted by: Craig | May 28, 2008 3:59 PM | Report abuse
Posted by: Heron | May 28, 2008 4:57 PM | Report abuse
Posted by: John Dowdell | May 29, 2008 1:00 PM | Report abuse
Posted by: Heron | May 31, 2008 4:39 PM | Report abuse
Posted by: Heron | May 31, 2008 5:08 PM | Report abuse
Posted by: John Dowdell | June 1, 2008 1:17 PM | Report abuse
Posted by: Heron | June 1, 2008 3:14 PM | Report abuse
Posted by: John Dowdell | June 2, 2008 2:11 PM | Report abuse
Posted by: Anon | June 2, 2008 3:24 PM | Report abuse
Posted by: Miracle studios -- web design | June 11, 2008 2:56 AM | Report abuse
The comments to this entry are closed.