Incident Response, Malware, Patch/Configuration Management, TDR, Vulnerability Management

Adobe Flash threat widens, but patch is available

Updated Wednesday, May 28 at 5:41 p.m. EST

Adobe recently patched a vulnerability in its Flash Player that is being actively exploited to infect machines with gaming trojans, researchers said Wednesday.

Regardless, tens of thousands of websites beginning Saturday have been compromised with SQL injections so they can serve as launching pads for the exploit.

Matt Richard, director of the Rapid Response Team at VeriSign iDefense, told SCMagazineUS.com on Wednesday that the class of vulnerability being used in the attacks – a null-pointer dereference – is rarely exploited.

Adobe patched the specific bug on April 8. But Chinese attackers appear to have built their exploit based on a 26-page research report published last month by Mark Dowd, an IBM Internet Security Systems researcher. Dowd discovered the vulnerability, and in the paper, detailed how it could be exploited.

“These guys in China used it as a blueprint to build this exploit,” Richard said. “These guys literally replicated it as he laid it out.”

Roughly half of users are patched with latest version of Flash, 9.0.124. Richard said it is possible for users who leverage more than one browser to be running different versions of the software.

“It does require a little more diligence than just checking, say, the version you got installed with IE (Internet Explorer),” he said.

Users are infected when they visit a compromised website, which automatically opens a hidden IFRAME. According to McAfee, a Google search yields about 250,000 page resultsthat contain malicious scripts referencing an SWF (Shockwave Flash)file.

Many of these sites being used to redirect users to the malware are questionable, Richard said. However, some, including the British men's magazine FHM, are legitimate.

“There's nothing visible that the user would see,” Richard said. “It loads in the background. If successfully exploited, it runs the code, all with no user interaction.”

A spokesperson for FHM did not respond to a request for comment.

The payload is a trojan that steals online game usernames and passwords, such as for World of Warcraft. This information allows attackers to steal virtual assets, which can be sold in the black market for real money.

“It's a very lucrative underground economy, particularly in China,” Richard said.

The fear now is that some of the more malicious hacker groups, particularly those that perpetrate bank fraud, will catch on to the exploit and begin including it in their toolkits, he said.

Adobe, in a statement, said on Wednesday that the vulnerability does appear to be a previously patched issue, and the company said it "strongly encourages" users to upgrade to the latest version.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.