Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security

Adobe Flash Zero-Day Attack Underway 246

Posted by kdawson from the gone-in-a-flash dept.
Robellus writes "Security researchers have found evidence of a previously unknown Adobe Flash vulnerability being exploited in the wild. The zero-day flaw has been added to the Chinese version of the MPack exploit kit and there are signs that the exploits are being injected into third-party sites to redirect targets to malware-laden servers. From the article: 'Continued investigation reveals this issue is fairly widespread. Malicious code is being injected into other third-party domains (approximately 20,000 web pages) most likely through SQL-injection attacks. The code then redirects users to sites hosting malicious Flash files exploiting this issue.'"
This discussion has been archived. No new comments can be posted.

Adobe Flash Zero-Day Attack Underway More

Adobe Flash Zero-Day Attack Underway

Comments Filter:

  • Re:And people (Score:1, Informative)

    by Anonymous Coward on Wednesday May 28, 2008 @03:51AM (#23567675)
    NoScript is like a condom. It will only protect you if you use it properly. If you know one of your lovers is sleeping around with hundreds of others, perhaps it is time to see someone else. Otherwise you're going to get the HIV^Wmalware.

  • Re:And people (Score:5, Informative)

    by Daengbo ( 523424 ) <daengbo@gmail. c o m> on Wednesday May 28, 2008 @04:00AM (#23567713) Homepage Journal
    That's why you should be using Gnash. Monoculture (all Flash being played by Adobe Flash player) is a bad thing when an infection occurs.

  • Re:Hmm Windows only... and SQL injection? (Score:1, Informative)

    by Anonymous Coward on Wednesday May 28, 2008 @04:07AM (#23567743)
    And who says it's not an issue on the MAC and Linux besides you? Nowhere in any of the linkedarticles (Yes, I actually RTFA) does it mention that it is a Windows only bug...

  • Re:And people (Score:2, Informative)

    by Anonymous Coward on Wednesday May 28, 2008 @04:19AM (#23567789)
    That's what temporary permissions are for. I have a very small, very select list of whitelisted sites, and everything else is temporary as needed. Plus, I have all flash objects blocked until I allow them. Period. Even trusted sites get this restriction -- I don't like my browser autostarting some annoying flash clip just because the site author thought it would be cute to include their "pet spider" on their website.

  • Re:Hmm Windows only... and SQL injection? (Score:2, Informative)

    by Anonymous Coward on Wednesday May 28, 2008 @04:25AM (#23567823)
    Silverlight does run [apple.com] on Mac OS X.

  • Re:And people (Score:5, Informative)

    by Anonymous Coward on Wednesday May 28, 2008 @04:44AM (#23567899)
    It plays them now

  • Hey Adobe: Try Using Stack Canaries! (Score:5, Informative)

    by MichaelCrawford ( 610140 ) on Wednesday May 28, 2008 @04:46AM (#23567907) Homepage Journal
    No doubt someone from Adobe will be reading this Slashdot story.

    A Stack Canary [wikipedia.org] is a value placed at the end of a function's stack frame. Just before function return, the canary's value is checked, and if it has changed, the user is notified.

    So what you do is built a test version of Flash with canaries enabled in the compiler, then try feeding it all kinds of potentially buffer-overruning input.

    To enable canaries:

    The Xcode-Users post I linked to says that stack canaries were discussed in session 109 at Apple's developer conference, in 2007 I think. You should be able to view it on the Apple Developer Connection website.

    I'll send you my bill in the mail.

  • Re:Hmm Windows only... and SQL injection? (Score:2, Informative)

    by linal ( 1116371 ) on Wednesday May 28, 2008 @05:01AM (#23567971)
    SQL injects aren't a MS specific problem, they are from poor programming and design. The same SQL injection attack could happen on any OS and DB

  • Re:And people (Score:3, Informative)

    by Anonymous Coward on Wednesday May 28, 2008 @05:13AM (#23568029)
    i find swfdec [freedesktop.org] to be better with youtube atm

  • MOD PARENT INSIGHTFUL!!11 (Score:1, Informative)

    by Anonymous Coward on Wednesday May 28, 2008 @06:18AM (#23568275)
    He's absolutely right about the idea of separating the control from the data. No other well-designed architecture does things this way. Take TCP, for example, which requires you to open two TCP ports for every connection, one for control and one for data. Or Ethernet where you have to have two pairs of wires, one for control data and one for real data. Other examples where this is employed are RPC, UDP, and even the telephone system.

    At first glance, it might seem like you'd need to introduce control characters into the data to differentiate the various parts of the data, in case you ever needed to put multiple fields with a single control statement (I know, it's rare, but some people _do_ need this). However, the TCP people invented an ingenious way of dealing with this by designating a special character for separating fields. All you need to do is escape it every time it occurs naturally in the stream. Then, all your problems are solved.

    Well, you've still got the problem of associating the control data with the payload. They are, after all, on two different channels and could arrive at different times. That's a trivial problem, though, because you just send the control data first and wait a short time before sending the real data. Electronic signals always travel at the same speed.

    Oh, we're not quite done yet. What happens if you want to embed user-entered data in the control? Well, that's easily handled, too, by moving everything except the framing sequences in the control channel into the data channel, so everything is data. I think that should work perfectly.

  • Re:This is NOT a 'zero day flaw'..... (Score:2, Informative)

    by Gewalt ( 1200451 ) on Wednesday May 28, 2008 @06:58AM (#23568459)
    No, zero day exploit refers to the fact that the exploit is publicly disclosed (and in use) before there is a patch to fix it. So yes, tomorrow, this will STILL be a zero day exploit.

  • NoScript WILL Save You (most of the time) (Score:5, Informative)

    by Giorgio Maone ( 913745 ) on Wednesday May 28, 2008 @07:12AM (#23568525) Homepage

    SWF and other payload files cannot be uploaded and hosted on the compromised web server as easily as SQL-injecting a script fragment which downloads them from a 3rd party site in full control of the attacker. In this and all the recent mass-infection cases [hackademix.net], the 3rd party hosts have been improbable domains Chinese domains likely registered ad hoc (such as wuqing17173.cn, woai117.cn or dota11.cn), and very unlikely to be in your NoScript whitelist, no matter how savage your browsing habits could be.

    So in all "real world" scenarios seen so far, this one included, you are protected by NoScript in its default configuration, which blocks 3rd party embeddings even if you're visiting a trusted page.

    Then if you want extra protection for the use cases you've listed (i.e. frequent usage of Flash-intensive community driven web sites), you can also configure NoScript to block ALL the embedded objects [hackademix.net], with no regard for their origin: you will still be able to temporarily allow them selectively, by clicking on a visual placeholder.

  • Re:This is NOT a 'zero day flaw'..... (Score:2, Informative)

    by Gewalt ( 1200451 ) on Wednesday May 28, 2008 @07:24AM (#23568615)
    ya, now you're just mumbling incoherent gibberish. So sad. Either accept that your perceived definition was wrong, or stop talking about how you don't like what it doesn't mean.

    The phrase is not meaningless, there is no reason to stop using it.

  • NoScript can block Flash even if JS is enabled (Score:3, Informative)

    by Giorgio Maone ( 913745 ) on Wednesday May 28, 2008 @07:27AM (#23568627) Homepage
    Just check NoScript Options|Plugins|Apply these restrictions to trusted sites too. In this configuration, NoScript effectively replaces FlashBlock [noscript.net], and it works on plugins different from Flash as well.

  • Re:And people (Score:3, Informative)

    by pizzach ( 1011925 ) <pizzachNO@SPAMgmail.com> on Wednesday May 28, 2008 @08:13AM (#23568929) Homepage
    I just installed the newest CVS 20 minutes ago. YouTube definitely still plays. Be warned though that it currently uses a crapload of CPU, and there can be a video lag while gnash loads things. Afterwards its fine though.

  • No worries (Score:2, Informative)

    by __aavonx8281 ( 149913 ) on Wednesday May 28, 2008 @08:46AM (#23569219)
    I'll just install the open source alternative to Flash on my Windows desktop...

    Guess this is the moment for Gnash (http://www.gnu.org/software/gnash/) to shine!

  • Updated info re this sploit... (Score:4, Informative)

    by Fallen Andy ( 795676 ) on Wednesday May 28, 2008 @10:20AM (#23570263)
    ShadowServer [shadowserver.org] has updated information on this here [shadowserver.org].

    See also Symantec Threatcon here [symantec.com]

    So it looks as if you have the latest flash plugin (9.0.124) you may be ok.

    Andy

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close