Allegedly critical zero-day vulnerability in current Flash Player
The current version of Adobe Flash Player, 126.96.36.199, supposedly includes a critical security vulnerability that can be used by criminals to inject malicious code into a system, according to security software firm Intevydis. The company has even put out a ten-minute video demonstrating an exploit it is offering for its commercial attack framework VulnDisco. So far, Intevydis is keeping quiet about details of the vulnerability. Only paying customers can use the exploit to look for the weak point in their system.
In the video, the company is able to use the White Phosphorous exploit pack to escape Internet Explorer's sandbox. Apparently, the exploit takes advantage of two security vulnerabilities at once to bypass data execution prevention (DEP) and address space layout randomisation (ASLR). The company says that the exploit works on Windows XP and Windows 7 with Internet Explorer, Firefox, and Google Chrome, although it is not yet certain whether it really manages to escape Chrome’s sandbox. A version for Mac OS X is on its way. Adobe has not yet commented on the vulnerability.
Intevydis has received attention in the past concerning its strategy for releasing information. Instead of reporting vulnerabilities directly to developers, the company announces that customers can pay for the special Step Ahead edition of the VulnDisco attack framework; this edition's selling point is that it includes zero-day exploits for popular applications. The hope is that the customer base consists only of pentesters.
Yesterday, a zero-day vulnerability in Adobe Reader that has already been used for targeted attacks was also announced. The targets apparently included suppliers to the US military such as Lockheed Martin, as mentioned in the acknowledgements in Adobe's advisory.