Adobe Flash Zero-Day Attack Underway 246
Robellus writes "Security researchers have found evidence of a previously unknown Adobe Flash vulnerability being exploited in the wild. The zero-day flaw has been added to the Chinese version of the MPack exploit kit and there are signs that the exploits are being injected into third-party sites to redirect targets to malware-laden servers. From the article: 'Continued investigation reveals this issue is fairly widespread. Malicious code is being injected into other third-party domains (approximately 20,000 web pages) most likely through SQL-injection attacks. The code then redirects users to sites hosting malicious Flash files exploiting this issue.'"
Re:And people (Score:1, Informative)
Re:And people (Score:5, Informative)
Re:Hmm Windows only... and SQL injection? (Score:1, Informative)
Re:And people (Score:2, Informative)
Re:Hmm Windows only... and SQL injection? (Score:2, Informative)
Re:And people (Score:5, Informative)
Hey Adobe: Try Using Stack Canaries! (Score:5, Informative)
A Stack Canary [wikipedia.org] is a value placed at the end of a function's stack frame. Just before function return, the canary's value is checked, and if it has changed, the user is notified.
So what you do is built a test version of Flash with canaries enabled in the compiler, then try feeding it all kinds of potentially buffer-overruning input.
To enable canaries:
I'll send you my bill in the mail.
Re:Hmm Windows only... and SQL injection? (Score:2, Informative)
Re:And people (Score:3, Informative)
MOD PARENT INSIGHTFUL!!11 (Score:1, Informative)
At first glance, it might seem like you'd need to introduce control characters into the data to differentiate the various parts of the data, in case you ever needed to put multiple fields with a single control statement (I know, it's rare, but some people _do_ need this). However, the TCP people invented an ingenious way of dealing with this by designating a special character for separating fields. All you need to do is escape it every time it occurs naturally in the stream. Then, all your problems are solved.
Well, you've still got the problem of associating the control data with the payload. They are, after all, on two different channels and could arrive at different times. That's a trivial problem, though, because you just send the control data first and wait a short time before sending the real data. Electronic signals always travel at the same speed.
Oh, we're not quite done yet. What happens if you want to embed user-entered data in the control? Well, that's easily handled, too, by moving everything except the framing sequences in the control channel into the data channel, so everything is data. I think that should work perfectly.
Re:This is NOT a 'zero day flaw'..... (Score:2, Informative)
NoScript WILL Save You (most of the time) (Score:5, Informative)
SWF and other payload files cannot be uploaded and hosted on the compromised web server as easily as SQL-injecting a script fragment which downloads them from a 3rd party site in full control of the attacker. In this and all the recent mass-infection cases [hackademix.net], the 3rd party hosts have been improbable domains Chinese domains likely registered ad hoc (such as wuqing17173.cn, woai117.cn or dota11.cn), and very unlikely to be in your NoScript whitelist, no matter how savage your browsing habits could be.
So in all "real world" scenarios seen so far, this one included, you are protected by NoScript in its default configuration, which blocks 3rd party embeddings even if you're visiting a trusted page.
Then if you want extra protection for the use cases you've listed (i.e. frequent usage of Flash-intensive community driven web sites), you can also configure NoScript to block ALL the embedded objects [hackademix.net], with no regard for their origin: you will still be able to temporarily allow them selectively, by clicking on a visual placeholder.
Re:This is NOT a 'zero day flaw'..... (Score:2, Informative)
The phrase is not meaningless, there is no reason to stop using it.
NoScript can block Flash even if JS is enabled (Score:3, Informative)
Re:And people (Score:3, Informative)
No worries (Score:2, Informative)
Guess this is the moment for Gnash (http://www.gnu.org/software/gnash/) to shine!
Updated info re this sploit... (Score:4, Informative)
See also Symantec Threatcon here [symantec.com]
So it looks as if you have the latest flash plugin (9.0.124) you may be ok.
Andy