Protective Actions Recommended by Don Jackson, Director of Threat Intelligence
The SecureWorks® Cyber Threat Intelligence Service is confirming the existence of newly released exploits targeting a critical flaw in Adobe Flash Player. Currently, exploits only target Flash Player versions for Windows platforms.
Attackers insert SCRIPT and IFRAME tags into the content of trusted, legitimate web sites via a known SQL injection attack. Those tags redirect the user to the attacker's server which hosts the Flash exploit. Tens of thousands of web sites are vulnerable to the SQL injection attack, meaning the distribution potential is high.
The vulnerability is not "zero-day"; however, these are the first known public exploits targeting it. The SecureWorks® Counter Threat Unit™ (CTU) has analyzed 18 variants of the exploit, and all attempt to leverage the integer overflow vulnerability originally discovered by Mark Dowd (CVE-2007-0071), which was patched by Adobe with release of version 22.214.171.124 of the Flash Player. While some have reported that the latest version is vulnerable, the CTU team was unable to duplicate these results with samples taken from known exploit sites. The only confirmed vulnerable version is (pre-patch) 126.96.36.199.
Recommended Protections Against Adobe Flash Exploits
Because 188.8.131.52 and possibly earlier vulnerable versions contain this highly critical flaw and are so widely distributed, the SecureWorks Threat Intelligence Service is advising that organizations verify their Flash Player versions and patch, if necessary, as soon as possible.
SecureWorks also advises organizations to verify that all Adobe Flash installations are running version 9.0.124 or later. This version may also be referred to as "9f", "9,0,124,0", "9.0 r124" or similar. However, Adobe Flash does not store version information in the registry. For individual PCs, the version of the currently installed Flash Player can be determined by visiting the official Adobe Flash web page.
To automate version checking, IT administrators can check for the existence and version number of the following files (%windir% may be C:\WINDOWS or C:\WINNT depending on the Windows version used):
- %windir%\system32\Macromed\Flash\Flash9f.ocx (IE ActiveX Control)
- %windir%\system32\Macromed\Flash\NPSWF32.dll (Netscape/Mozilla Plug-In)
Microsoft provides a tool called GetVers.exe to check version information in executables. More information is available at these web pages:
Payloads vary but generally include the installation of downloaders, backdoors, and password stealing spyware Trojans. While detection of the various Trojans is good on average, some remain undetected by major AV engines. None of the major AV engines detected the actual exploit Flash file at the time this advisory was written—May 27, 2008. Now that samples have been obtained, anti-virus companies are updating their signatures accordingly. SecureWorks advises organizations to apply signature updates to gateway and host AV products as soon as possible.