July 22nd, 2009
Adobe Flash zero-day attack underway; Harden PDF Reader immediately
Malicious hackers have found a new vulnerability in Adobe’s ever-present Flash software and are using rigged PDF documents to launch exploits against Windows targets.
The Adobe Flash Player flaw, which is currently unpatched, affects millions of Windows XP and Windows Vista users. Adobe has acknowledged a “potential vulnerability” but, inexplicably, has not seen it fit to warn of the zero-day attacks or issue pre-patch mitigation guidance (see update below) to tens of millions of its customers.
Here is Adobe’s only communication so far:
Adobe is aware of reports of a potential vulnerability in Adobe Reader and Acrobat 9.1.2 and Adobe Flash Player 9 and 10. We are currently investigating this potential issue and will have an update once we get more information.
Instead, word of the attacks have started to drip out from security companies monitoring the Web for malicious activity.
Recently we came into possession of an Adobe Acrobat PDF file that upon opening drops and executes a malicious binary. It was quite clear that this PDF was exploiting some vulnerability in order to drop its payload. And, during the analysis it soon became apparent that this vulnerability was not one we had seen in the wild before. What was even more surprising was that this vulnerability affects Adobe Flash — not Adobe Reader as we initially suspected.
… The authors of the exploit have managed to take a bug and turn it into a reliable exploit using a heap spray technique. Typically an attacker would entice a user to visit a malicious website or send a malicious PDF via email. Once the unsuspecting user visits the website or opens the PDF this exploit will allow further malware to be dropped onto the victim’s machine. The malicious PDF files are detected as Trojan.Pidief.G and the dropped files as Trojan Horse.
My colleagues at Kaspersky (see disclosure) have confirmed the zero-day nature of the attacks, which take advantage of a feature available in Adobe Acrobat: embedded Adobe flash objects in PDF documents.
In the current case, targeted attacks with Chinese-language PDF documents, the Flash exploit is fitted into a clean Adobe PDF file. If the target’s browser allows opening PDF as embedded objects or user agrees to download and open the file with the local viewer — he gets hit with malware.
There is evidence that at least one of the exploits was created on July 2, 2009.
In the absence of mitigation guidance from Adobe, here is my recommendation: Disable Flash in Acrobat Reader or disable embedded objects your current browser.
In Adobe Reader, click on Edit > Preferences Settings >Multimedia Trust -> Permission for Adobe Flash Player -> Set drop down to “Never” or “Prompt”
Adobe wrote in to mention that the guidance posted above does NOT provide adequate protection.
The official mitigation guidance from Adobe is to delete, rename or remove access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x:
Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF that contains SWF content. Depending on the product, the authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll or C:\Program Files\Adobe\Acrobat 9.0]\Acrobat\authplay.dll. Windows Vista users should consider enabling UAC (User Access Control) to mitigate the impact of a potential exploit. Flash Player users should exercise caution in browsing untrusted websites. Adobe is in contact with Antivirus and Security vendors regarding the issue and recommend users keep their anti-virus definitions up to date.
News of the latest attack comes just days after the software maker fessed up to shipping insecure versions of its PDF reader on the official Adobe.com download location.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
