In association with heise online

10 June 2010, 13:21

Exploit for new Flash vulnerability spreading fast

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

According to a number of anti-virus software vendors, an exploit for the unpatched vulnerability in Adobe's Flash Player and Reader discovered at the weekend, is spreading rapidly and a number of web sites are already spreading malware by exploiting the vulnerability. The vulnerability affects Flash Player 10.0.45.2 and earlier and the authplay.dll library included with Reader and Acrobat 9.x.

According to several independent analyses, the exploit is based on a Flash demo for implementing the AES encryption algorithm written in ActionScript. The exploit replaces just a single line (getproperty instead of newfunction), but this substitution makes a mess of the ActionScript stack. This apparently allows additional x86 code to be written to the PC's memory via Flash Player's just-in-time compiler and executed. A detailed analysis of the exploit can be found in "A brief analysis of a malicious PDF file which exploits this week's Flash 0-day".

Crafted websites are already attempting to use the exploit to launch programs which download further malware from the web, including back doors and trojans. Adobe has announced that it is to release an update for Flash Player today (Thursday 10th June). The update for Adobe Reader and Acrobat will be released on 29th July, two weeks prior to the regular quarterly patch day.

Until the update is released, Adobe is advising Adobe Reader and Adobe Acrobat 9 users to delete, rename or move authplay.dll. Adobe admits, however, that this does lead to crashes when opening PDF files containing Flash content. In Windows, the file is usually located in C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll.

According to US-CERT, attacks can be thwarted by disabling JavaScript in Adobe Reader and activating data execution prevention in Windows.

See also:

(djwm)

Print Version | Send by email | Permalink: http://h-online.com/-1019485
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit