YA0D (Yet Another 0-Day) in Adobe Flash player
Well, it looks like the last two weeks have definitely been marked by multiple 0-day exploits actively used in the wild.
The last one exploits a vulnerability in Adobe Flash player (versions 9 and 10) as well as Adobe Reader and Acrobat 9.1.2. Besides being a 0-day there are some other interesting things about this exploit.
First, several AV companies reported that they detected this 0-day exploit in PDF files, so at first it looked like an Adobe Reader vulnerability. However, the vulnerable component is actually the Flash player or, better said, the code used by the Flash player which is obviously shared with Adobe Reader/Acrobat. This increases the number of vectors for this attack: the malicious Flash file can be embedded in PDF documents which will cause Adobe Reader to execute it OR it can be used to exploit the Flash player directly, making it a drive-by attack as well.
And indeed, when tested with Internet Explorer and the latest Flash player (version 10), the exploit silently drops a Trojan and works "as advertised". Another interesting thing I noticed is that the Trojan, which is downloaded in the second stage, is partially XOR-ed – the attackers probably did this to evade IDSes or AV programs scanning HTTP traffic. At the moment, the detection for both the exploit and the Trojan is pretty bad (only 7/41 for the Trojan, according to VirusTotal).
It appears that even when JavaScript support is disabled in Adobe Reader that the exploit still works, so at the moment there are no reliable protection mechanisms (except not using Adobe Reader?). Regarding Flash, NoScript is your best help here, of course.
(FIXED: the VT link pointed to a wrong file)
UPDATE:
At the moment there is a low number of malicious sites serving the exploit, but we confirmed that the links have been injected in legitimate web sites to create a drive-by attack, as expected.
It appears that the attackers created two different shellcodes as well, one for Firefox users (still have to confirm this) and the other for Internet Explorer users (this one is confirmed to work).
UPDATE 2 (by John Bambenek):
Adobe has released an advisory on the issue here. They claim they'll have a patch ready around July 30-31.
UPDATE 3 (by Bojan):
There has been a lot of chatter about this vulnerability, and a lot of incorrect/incomplete information about various mitigation options so I wanted to clear some things.
First of all, the only mitigation option is the one listed in Adobe's security advisory posted above – you can't mitigate this attack with any options in Adobe Reader (some blogs posted instructions for modifying Trust options under Multimedia Trust, but this related only to legacy players and will not stop this exploit from executing).
Besides removing files, our PDF expert Didier Stevens found a quick and dirty hack by using a hex editor on AcroRd32.dll and replacing the RichMedia instance (into Richmedia, for example). The exploits seen in the wild use the /RichMedia annotation so this effectively stops them.
There has been a lot of chatter about another alleged 0-day exploit for Adobe Reader, a file called hereEvil.pdf (MD5: 7cf5e503c2b92e1c154ec53808466d7c). While this file is dangerous, it does not exploit the SWF 0-day (indeed, it contains no RichMedia annotations). Also, while testing this file I was not able to confirm that it successfully exploits Adobe Reader 9.1.0 as mentioned on some mailing lists (it certainly doesn't work against Adobe Reader 9.1.2).
Finally, some (at least for now) good news – the Flash exploit is still not widely used it appears with only couple of sites serving it.
Unfortunately, Adobe didn't give us a lot of mitigation options in their advisory (or actually any!) for the Flash player which is, in my opinion, the real issue here since it allows for fully automated drive-by attacks. Besides NoScript mentioned above, there is another nice addon for Firefox called Flashblock which can help in preventing Flash movies from loading in your browser. This should help as a band aid since we have to wait till next Thursday for Adobe to release the patch!
Some extras: Julia Wolf from FireEye wrote a really nice article about how Actionscript can be used to spray the heap (instead of JavaScript -- this is why turning off JavaScript will not protect you) as well as about some differences in those two shellcodes I mentioned yesterday. You can read the article at FireEye's blog.
--
Bojan
DD-WRT Vulnerability
Paul wrote in to let us know about a new vulnerability in DD-WRT that was being reported in the Register at http://www.theregister.co.uk/
DD-WRT runs on routers by Linksys, D-Link Buffalo, ASUS and well as other routers. The complete list can be found at http://www.dd-wrt.com/wiki/index.php/Supported_Devices
This vulnerability will allow an attacker to run programs with root priviledges on a vulnerable router.
More information can be found on the DD-WRT Forum at http://www.dd-wrt.com/phpBB2/viewtopic.php?t=55173&postdays=0&postorder=asc&start=0
Christopher Carboni - Handler On Duty
Vulnerability in dhclient - Check Your Vendor For Patches
US-Cert released VU#410676 which deals with a vulnerability in the ISC DHCP dhclient application.
"The ISC DHCP client code (dhclient) contains a stack buffer overflow in the script_write_params() method. dhclient fails to check the length of the server-supplied subnet-mask option before copying it into a buffer. According to ISC, the following versions are affected:
DHCP 4.1 (all versions)
DHCP 4.0 (all versions)
DHCP 3.1 (all versions)
DHCP 3.0 (all versions)
DHCP 2.0 (all versions)"
Red Hat (no version specified) and Ubuntu are known vulnerable.
More details are available at http://www.kb.cert.org/vuls/id/410676 , https://www.isc.org/node/468 and http://vrt-sourcefire.blogspot.com/2009/07/dont-read-this-post.html
Christopher Carboni - Handler On Duty
Firefox 3.0.12 is Available
For those Firefox users which have not upgraded to 3.5.x, Firefox 3.0.12 is now available for Windows, Mac, and Linux for free download from http://www.mozilla.com/en-US/
Firefox 3.0.x will be maintained with security and stability updates until January, 2010. All users are encouraged to upgrade to Firefox 3.5 by downloading it from http://firefox.com/ or by selecting "Check for Updates..." from the Help menu when using Firefox 3.0.12.
Christopher Carboni - Handler On Duty
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago