Security

Adobe has released a patch for a critical Flash Player problem that could let attackers take over people's computers through content viewed in a browser.

The vulnerability affected a file that shipped with Flash Player 9.x and 10.x for Windows, Mac OS X, and Linux, and with Adobe Reader and Adobe Acrobat 9.x for Windows, Macintosh, and Unix. Adobe said Thursday it fixed the problem in a security advisory, and Adobe's Matt Rozen posted a note on Twitter that directed people to download the patched version from Adobe's Flash download site.

This was no abstract, theoretical vulnerability, either.

"There are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows," Adobe said in an earlier advisory about the problem.

Flash is very widely used in browsers to power features such as interactive stock charts and YouTube video streaming.

(Credit: Adobe)

Adobe said Thursday that it will issue fixes next week for a critical hole in Flash that is being exploited in attacks against Adobe Reader version 9 on Windows.

The vulnerability exists in current versions of Flash Player for Windows, Macintosh, and Linux and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for those same platforms, Adobe said in an advisory.

The vulnerability could cause a system to crash or allow an attacker to take control of the computer, Adobe said.

An update for Flash Player v9 and v10 for Windows, Mac, and Linux will be released by July 30, while a fix for Solaris is pending. Adobe should have an update for Reader and Acrobat v9.1.2 for Windows, Macintosh, and Unix by July 31.

An attacker can exploit the vulnerability by luring someone to a Web site hosting a specially crafted Shockwave Flash file, US-CERT said in an advisory Thursday.

"The Adobe Flash browser plug-in is available for multiple Web browsers and operating systems, any of which could be affected," CERT said. "An attacker could also create a PDF document that has an embedded SWF file to exploit the vulnerability. This vulnerability is being actively exploited."

The vulnerabilities can be mitigated by disabling the Flash plug-in or by using the NoScript extension for Mozilla Firefox or SeaMonkey to whitelist sites that can access the Flash plug-in, CERT said.

To disable Flash, US-CERT recommends:

• Disabling Flash in Adobe Reader 9 on Windows platforms by renaming the following files: "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll" and "%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll".

• Disabling Flash Player or selectively enabling Flash content as described in the "Securing Your Web Browser" document.

"Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF that contains SWF (Shockwave Flash) content," the Adobe advisory said.

Typically, the authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll or C:\Program Files\Adobe\Acrobat 9.0]\Acrobat\authplay.dll, Adobe said.

Windows Vista users can mitigate the impact of the exploit by enabling UAC (User Access Control), according to Adobe. Flash Player users should be careful when browsing unfamiliar Web sites.

Researchers on Wednesday reported that they had uncovered attacks in the wild in which malicious Acrobat PDF files were exploiting a vulnerability in Flash and dropping a Trojan onto computers.

The bug used in the exploit has been around since December 2008.

Researchers on Wednesday said they have uncovered attacks in the wild in which malicious Acrobat PDF files are exploiting a vulnerability in Flash and dropping a Trojan onto computers.

The situation could affect tons of users since Flash exists in all popular browsers, is available in PDF files, and is largely operating system-independent.

Any software that uses Flash could be vulnerable to the attack, according to Symantec. Adobe Reader is vulnerable because its Flash interpreter is vulnerable, said Paul Royal, principal researcher at Purewire, a Web security services provider.

In a post on its Web site, Adobe said it "is aware of reports of a potential vulnerability in Adobe Reader and Acrobat 9.1.2 and Adobe Flash Player 9 and 10. We are currently investigating this potential issue and will have an update once we get more information."

"The authors of the exploit have managed to take a bug and turn it into a reliable exploit using a heap spray technique," Patrick Fitzgerald writes on a Symantec Security blog post.

"Typically an attacker would entice a user to visit a malicious Web site or send a malicious PDF via e-mail," he writes. "Once the unsuspecting user visits the Web site or opens the PDF this exploit will allow further malware to be dropped onto the victim's machine. The malicious PDF files are detected as Trojan.Pidief.G and the dropped files as Trojan Horse."

It appears the exploit was first developed about two weeks ago, Royal said. The bug itself has been around since December 2008.

The hole is exploitable on Windows XP and Vista users are protected if User Account Control (UAC) is enabled, Symantec said.

US-CERT offered information about workarounds on its Web site:

• Disable Flash in Adobe Reader 9 on Windows platforms by renaming the following files: "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll" and "%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll".

• Disable Flash Player or selectively enable Flash content as described in the "Securing Your Web Browser" document.

Adobe released a patch for a Flash player hole this week that could allow an attacker to remotely take control of a computer.

The vulnerability is critical for one for Adobe Flash Player 10.0.12.36 and earlier versions, the company said in an advisory.

To exploit the vulnerability, a targeted user must load a malicious Shockwave Flash file, which can be done by social engineering the user or injecting malicious content into a compromised, trusted Web site, according to an advisory from security firm iDefense.

Internet Explorer and Firefox plug-ins can be used to temporarily block and unblock Flash content, iDefense said.

While Adobe was releasing news about the Flash vulnerability, more information was surfacing about the hole in Adobe Reader 9 and Acrobat 9 that was announced last week. A patch is due by March 11.

Security company Sourcefire, which released a patch of its own, told IDG News Service that it has found evidence of attacks exploiting the vulnerability for more than six weeks.

There were two critical vulnerabilities in Adobe Reader last year that resulted in remote code execution exploits, according to an entry on the IBM Internet Security Systems blog.

"Currently, we have only witnessed this [new] exploit in highly targeted attacks and have not detected this exploit utilized heavily in the wild yet," the blog entry said. "But it is unknown how long it will be before we see this spread quickly through malicious websites. Milw0rm just released proof-of-concept exploit code. So, we don't expect it to take long before this exploit moves beyond targeted attacks to malicious exploit toolkit integration and widespread exploitation."

One of the spam messages using Obama's election to entice people to download malware.

(Credit: Sophos)

Within hours of settling the U.S. presidential election on Tuesday, spam seen worldwide began incorporating the name and image of Barack Obama, according to various security vendors. The U.K.'s Sophos reported 60 percent of all spam seen by the lab on Wednesday was in some way Obama related.

One piece of spam alleges to contain a link to video of Obama's acceptance speech. If you follow the video link within the e-mail message you will be taken to a Web page where you'll be asked to update your Adobe Flash Player with a file, adobe_flash9.exe, first. This is not an official Adobe update file and downloading this file may in turn infect your computer with a Trojan.

Sophos named the Trojan Mal/Behav-027. F-Secure named it W32/Papras.CL. Sunbelt Software also has a blog about this particular piece of spam.

Meanwhile, Websense is reporting a separate threat. An e-mail appears to be an interview with the new president elect. The e-mail features embedded links to a video site that attempts to install a file, BarackObama.exe. Downloading this file may infect your computer with a Trojan.

On Tuesday, Adobe issued a workaround for a serious issue that could allow attackers to change the security settings within Flash.

Termed "clickjacking," the process gives "an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable," wrote WhiteHat Security CTO Jeremiah Grossman in a blog posting last month. He went on to say that while "guarding against Clickjacking was largely the browser vendors' responsibility," both he and Robert Hansen agreed to withhold further information and even canceled their talk recently at OWASP NYC AppSec 2008 Conference at the request of Adobe. In return, Adobe thanked the researchers.

In brief, the attack involves embedded objects on a maliciously crafted Web page. Using framed content or that from Flash, Silverlight, or Java, the attacker places a transparent or invisible click button beneath the mouse so that whenever the user clicks on something they see on the page (to see more search results on Google, for example) the user is also clicking to a unseen Web site that may contain malicious code. The attack can also take advantage of dynamic HTML and CSS (Cascading Style Sheets) codes to further disguise itself.

In a blog, Guy Aharonovsky describes a process using clickjacking where Flash security settings can be changed to allow an attacker access to a PC's Webcam or microphone. This, he says, could create remote eavesdropping possibilities.

Although the demonstration page created by Aharonovsky has been disabled, his video demonstration shows a rigged click button as it randomly moves around the page. In reality, the click button under the mouse would be transparent or invisible to the user. In the background Aharonovsky shows the attack modifying the Flash privacy settings. Aharonovsky says "bear in mind that every Flash, Java, Silverlight, DHTML game or application can be used to achieve the same thing."

The flaws--there may be a half dozen or so specific vulnerabilities related to this--affect users of Internet Explorer, Firefox, Opera, Apple Safari, and Google Chrome. Turning JavaScript off within the browser won't work. The attack doesn't rely on JavaScript. Grossman commented: "Clickjacking is a well-known issue, but severely underappreciated and largely undefended."

Adobe advises users of Flash to set Adobe Flash Player Settings Manager to "always deny." This means that users will not be asked to allow or deny camera and or microphone access after changing this setting. Adobe says a Flash Player update addressing the issue will be available before the end of the month.

Users of Firefox should in the meantime consider use of the NoScript plug-in and set it to forbid iframe content. More details on configuring NoScript to block this attack can be found here

Additional US-CERT tips for securing other browsers can be found here.