Home
Latest images
Search
Register
Log inAnother 0day exploit in Adobe Flash player
Page 1 of 1
Another 0day exploit in Adobe Flash player
andry Thu Oct 28, 2010 12:50 am
Well, it looks like the last two weeks have definitely been marked by multiple 0-day exploits actively used in the wild.
The last one exploits a vulnerability in Adobe Flash player (versions 9 and 10) as well as Adobe Reader and Acrobat 9.1.2. Besides being a 0-day there are some other interesting things about this exploit.
First, several AV companies reported that they detected this 0-day exploit in PDF files, so at first it looked like an Adobe Reader vulnerability. However, the vulnerable component is actually the Flash player or, better said, the code used by the Flash player which is obviously shared with Adobe Reader/Acrobat. This increases the number of vectors for this attack: the malicious Flash file can be embedded in PDF documents which will cause Adobe Reader to execute it OR it can be used to exploit the Flash player directly, making it a drive-by attack as well.
And indeed, when tested with Internet Explorer and the latest Flash player (version 10), the exploit silently drops a Trojan and works "as advertised". Another interesting thing I noticed is that the Trojan, which is downloaded in the second stage, is partially XOR-ed – the attackers probably did this to evade IDSes or AV programs scanning HTTP traffic. At the moment, the detection for both the exploit and the Trojan is pretty bad (only 7/41 for the Trojan, according to VirusTotal).
The last one exploits a vulnerability in Adobe Flash player (versions 9 and 10) as well as Adobe Reader and Acrobat 9.1.2. Besides being a 0-day there are some other interesting things about this exploit.
First, several AV companies reported that they detected this 0-day exploit in PDF files, so at first it looked like an Adobe Reader vulnerability. However, the vulnerable component is actually the Flash player or, better said, the code used by the Flash player which is obviously shared with Adobe Reader/Acrobat. This increases the number of vectors for this attack: the malicious Flash file can be embedded in PDF documents which will cause Adobe Reader to execute it OR it can be used to exploit the Flash player directly, making it a drive-by attack as well.
And indeed, when tested with Internet Explorer and the latest Flash player (version 10), the exploit silently drops a Trojan and works "as advertised". Another interesting thing I noticed is that the Trojan, which is downloaded in the second stage, is partially XOR-ed – the attackers probably did this to evade IDSes or AV programs scanning HTTP traffic. At the moment, the detection for both the exploit and the Trojan is pretty bad (only 7/41 for the Trojan, according to VirusTotal).
andry- Moderator
- Posts : 467
Join date : 2010-05-07
Similar topics» Adobe Flash Player Invalid Loader Object Reference Vulnerability
» Adobe Flash Player and AIR AVM2 intf_count Integer Overflow Remote Code Execution
» WordPress 0day exploit in all version
» 0day Internet Explorer Exploit Released
» Linux 2.6.30+/SELinux/RHEL5 test kernel 0day Exploit
» Adobe Flash Player and AIR AVM2 intf_count Integer Overflow Remote Code Execution
» WordPress 0day exploit in all version
» 0day Internet Explorer Exploit Released
» Linux 2.6.30+/SELinux/RHEL5 test kernel 0day Exploit
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum|
|
|