Adobe Flash Player remote code execution vulnerability roundup – update #2

Adobe Flash Player contains an code execution vulnerability. An attacker may be able to trigger this overflow by convincing a user to open a specially crafted SWF file. The SWF file could be hosted or embedded in a web page. If an attacker can take control of a web site or web server, this vulnerability may be exploited by trusted sites.

Update #2: Thursday May 29th 00:52 GMT: added Adobe PSIRT update.
Update #1: Thursday May 29th 00:34 GMT: added SANS info, F-Secure advice and ShadowServer analysis.

Adobe PSIRT – Potential Flash Player issue – update:

Here’s a quick update on our progress investigating the recent reports of a potential Flash Player exploit in the wild. The exploit appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 9.0.124.0 (CVE-2007-0071). This exploit does NOT appear to include a new, unpatched vulnerability as has been reported elsewhere – customers with Flash Player 9.0.124.0 should not be vulnerable to this exploit.

We’re still looking in to the exploit files, and will update everyone with further information as we get it, but for now, we strongly encourage everyone to download and install the latest Flash Player update, 9.0.124.0.

From SANS ISC:

On closer examination, this does not appear to be a “0-day exploit”.  Symantec has updated their threatcon info, as well. 

F-Secure reports:

There are reports of a critical vulnerability affecting current versions of Adobe Flash and evidence of it being exploited in the wild. Versions including and previous to 9.0.124.0 are reported to be at risk. However — chatter on the security lists we frequent suggest version 9.0.124.0 is not vulnerable and that the attacks are only reliably effective against version 9.0.115.0 and earlier (using CVE-2007-0071). In any case — we are seeing Flash exploits being used in combination with SQL injection attacks.

F-Secure also provides some mitigation strategies.

From ShadowServer:

It did not take us long to find several other websites beyond those already mentioned. It would appear that this exploit has been pretty widely known within the Chinese community for the past two days or so.

Click on the link above for some technical details.

Adobe PSIRT commented:

Just a quick note to say we are aware of today’s report of a potential exploit involving Flash Player in the wild. We are working with Symantec to investigate the potential SWF vulnerability, and will have an update once we get more information.

Here are the details from DeepSight ThreatCon:

The DeepSight ThreatCon currently at Level 2 in response to the discovery of in-the-wild exploitation of a vulnerability affecting Adobe Flash Player. The flaw occurs when processing a malicious SWF file.

Originally it was believed that this issue was unpatched and unknown, but further technical analysis has revealed that it is very similar to the previously reported Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability (BID 28695), discovered by Mark Dowd of IBM. However, we are working with Adobe to identify the precise details, because we have observed the malicious files affecting patched versions of Flash, suggesting that it may be a variant or may have been incorrectly patched.

We have begun to observe numerous attacks. The original attacks observed involve two Chinese sites known to be hosting exploits for this flaw: wuqing17173.cn and woai117.cn. The sites appear to be exploiting the same flaw, but are using different payloads. Further analysis into these attacks, specifically the woai117.cn attack, uncovered another domain involved: dota11.cn. We have discovered that this site is being actively injected into sites through what is likely SQL-injection vulnerabilities. A Google search reports approximately 20,000 web pages (not necessarily distinct servers or domains) injected with a script redirecting users to this malicious site. Other reports are suggesting upwards of 250,000 affected pages.

A new attack, involving the play0nlnie.com domain, was recently reported. This attack works slightly differently and appears to be more sophisticated. The attack uses multiple layers of SWF redirection and generates URLs designed to target specific Flash version and browser combinations, supporting both Internet Explorer and Firefox. Symantec currently detects the SWF files as Downloader.Swif.C and the malware associated with these attacks as Infostealer.Gamepass and Trojan, respectively.

Network administrators are also advised to blacklist the offending domains to prevent clients from inadvertently being redirected to them. The following actions are also advised: Avoid browsing to untrustworthy sites. Consider disabling or uninstalling Flash until patches are available. Deploy script-blocking mechanisms, such as NoScript for Firefox, to explicitly prevent SWFs from loading on all but explicitly trusted sites. Temporarily set the kill bit on CLSID d27cdb6e-ae6d-11cf-96b8-444553540000 until patches availability is confirmed.

Dancho Danchev has a blog writeup on the topic with further technical details.