March 14, 2011

Adobe warned today attackers are exploiting a previously unknown security flaw in all supported versions of its Flash Player software. The company said the same vulnerability exists in Adobe Reader and Acrobat, but that it hasn’t yet seen attacks targeting the flaw in those programs.

In an advisory released today, Adobe said malicious hackers were exploiting a critical security hole in Flash (up to and including the latest version of Flash. The software maker warned the vulnerability also exists in Adobe Flash player 10.2.152.33 and earlier versions for Windows, Mac, Linux and Solaris operating systems (10.2.154.13 and earlier for Chrome users), Flash Player 101.106.16 and earlier for Android. In addition, Adobe believes the bug lives in the “authplay.dll” component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Mac systems.

Adobe warns that the security hole is currently being exploited via Flash (.swf) files embedded in a Microsoft Excel document delivered as an email attachment. Why someone would need to embed a Flash file in an Excel document is anyone’s guess.

The company says it is in the process of churning out a fix for the problem, which should be available during the week of March 21.

For those readers wondering whether the security fortifications built into Reader X block this attack, Adobe says you will have to take their word for it:  “Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.”  Brad Arkin, senior director of product security and privacy for Adobe, said in a blog post that providing an out-of-cycle update for Adobe Reader X would have delayed the current patch release schedule by about another week.

Now is a good time to point out that the “Noscript” plugin for Firefox will block Flash on sites that you have not specifically allowed to load Flash files. If you are looking for alternative PDF readers, there are several.

In other news, Google said Friday that it is seeing some highly targeted and apparently politically motivated attacks against users that abuse a publicly-disclosed vulnerability in Internet Explorer. Microsoft has not issued an official patch for this IE flaw yet, but if you browse the Web with IE, it would be a great idea to take advantage of the FixIt tool that Microsoft has made available to blunt the threat from this vulnerability.

 


24 thoughts on “Adobe: Attacks on Flash Player Flaw

  1. Ellie K

    I wonder why they even bothered?

    It is so strange. I can’t imagine a use case for embedding Flash content in an MS Excel spreadsheet!

    1. drzaiusapelord

      This is done, probably, because it gets you through all sorts of corporate security. PDFs with embeds are blocked, swf are blocked, links to suspicious domains are block quickly, etc. An excel file with an embedded object or link to a malicious swf is bizarre enough to get by because no one expects it.

      The downside is that a lot of home users can’t open it. I wouldnt be surprised if it was used originally in a targeted attack.

      Hopefully someone can see if this exploit works against limited users.

      On the plus side this is another win for Adobe’s sandboxing solution for Acrobat Reader. I believe this is the second attack that 10.x blocks that 9.x would allow. Lets see if flash sandboxing in Chrome works out.

    2. RJ

      Embedding video/audio files in Office documents is used to bypass corporate email server format filters. I have seen SWF files (games) embedded in excel spreadsheets in order to distribute them to areas where the firewall/internet filter would usually block them.

      It’s also pretty sneaky, not everyone will be expecting an innocent spreadsheet would have capabilities to do damage. (If only they were simple spreadsheets, instead of VBA macros, embedded documents etc etc etc)

      1. CW

        How about an NCAA bracket spreadsheet (I’ve seen some in Excel), with some Flash animations of mascots and team logos inside?

        There is no real business need for this type of thing, but like you said, people can get sneaky to get this stuff through corporate firewalls and email filters.

  2. Fuzzy

    That was certainly fast for the “malicious hackers” to find an exploit that is in all versions. I wonder if they (the hackers) were part of the developer team for adobe?
    I mean it was barely what a month maybe two months since flash 10.2 was released? I know some people are fast but to reverse engineer the code and find a hole in all platforms in less then 2 months? there has to be someone within adobe that is providing the code.

    1. drzaiusapelord

      No need for conspiracy theories. The history of hacking is one of finding exploits without source and from the outside. I don’t see why this needs to be any sort of exception.

  3. Michael McNamara

    I’m curious if the use of Microsoft Excel has something to-do with bypassing the front line security. It also makes NoScript useless since the Flash object is embedded in and Excel document and will today’s AntiVirus solutions scan embedded Flash objects in an Excel file?

    It seems like you don’t need a browser at all to get infected with this one.

    Cheers!

    1. BrianKrebs Post author

      Adobe said they were targeted attacks, and previous attacks on Adobe’s software that used zero days also were very targeted. I think you’re exactly right: This was probably a chink in the armor that very few people even knew to look for.

      1. Nelda

        Articles like these put the consumer in the driver seat—very imorpantt.

  4. Nick P

    These kinds of attacks are why I often promote the use of simple formats without scripting and embedding for documents that dont need these features. A good example is PDF-A. A document conforming to this standard is unlikely to cause harm. Need a similar stripped down format for spreadsheets and better access control at application level.

  5. Doug

    Typo alert..

    “Now is a good time to point out that the “Noscript” plugin for Firefox will block Flash on sites that you have specifically allowed to load Flash files. ”

    should be:
    “Now is a good time to point out that the “Noscript” plugin for Firefox will block Flash on sites that you have NOT specifically allowed to load Flash files. ”

    Brian, many thanks to you for your always informative articles!

  6. A-Doh!-Bee

    The flash browser plugin should be redeveloped to auto-update from a secure (SSL) adobe url when the updates are made ready. Uninstallation and reinstallation manually is a pain in the ass with updates becoming more frequent. This rings true moreso if you admin more than a handful of Windows boxes.

    1. Peter

      If you admin a few Windows machines you are likely in a situation where there is a mass deployment tool, including AD. Adobe does provide MSI versions of the Windows installation which can be given silent switches deployed via GPO. In the event you are supporting multiple machines without AD or any other deployment method the option to deploy with the MSI using a batch file or VBScript still exists.

      Having said all of that I agree the Adobe manual process is a PITA especially with the additional items they have thrown at us ( which have been disparaged ad-nauseam here).

    2. Josh

      We’ve been using GFI LanGuard for the last couple months – and it has worked wonders as far as non-microsoft patching is concerned. We use it to patch Java, Adobe Reader and Acrobat, and Flash on all of our client boxes. Check it out!

  7. brucerealtor

    I must admit that I am a NOVICE in this entire area, but I recall a programmer friend of mine telling me some years back that the way ‘her boss’ corrected errors in programming was simply to type ‘end’ at the conclusion of a problem command, instead of making the effort to really find the code problem in the software and correct it.

    Are many of these kinds of issues caused by novice programmer screw ups and if so, who is reviewing their programming efforts anyway?

    This makes about as much sense as putting nuclear power plants on or near known tectonic [?] fault lines, or is that simply something irrelevant or unavoidable in practice:?

  8. Peter

    Has anyone else notices that authplay.dll seems to be the constant attack point for Flash/Reader issues? Perhaps it is time for Adobe to reconsider how Flash is linked to Reader or how Reader uses Flash.

    Just a thought…

  9. Mark

    To me the significance of this exploit is that is that it is a OS agnostic.
    I’m no security expert, but is this common to see Flash exploits on all major OS’s? I never see any news about Linux or OSX being compromised in real world usage.

    1. Jason

      I don’t know that I’ve seen news about Linux or OS X boxes being compromised through Flash but I have seen warnings about upgrading Flash or risking accounts being compromised. I send user alerts to my LUG members regarding Flash vulnerabilities on a regular basis because the warnings also pertain to Linux.

    2. Nick P

      Well, a vulnerability in a cross-platform app’s OS-agnostic is a risk to all systems it runs on if the class of exploit works on those systems. A buffer overflow is a good example: buffer overflows can lead to creation of exploits on Windows, Mac, and Linux. And to be sure, in many hackathons, the Mac fell first using a Flash vulnerability. I remember the first such hackathon I looked at involved the Mac-book Air and the app fell to a simple attack involving faulty input that the app didn’t validate.

      A modern Windows 7 installation has a decent security profile over past versions. The combination of No-Execute support, better engineered browser, and Windows Mandatory Integrity control makes exploits more difficult. Chrome on Windows 7 with Intel NX support ‘on’ and running from a limited account is the best option right now for Windows users.

      Mac benefits primarily from obscurity and is behind in security features. Heck, Mac OS X and Server was only certified to EAL3 on common criteria, which is a joke considering their competitors are at EAL4+ (EAL4 augmented with extra requirements). It’s a bigger joke when you find that EAL4 means they just have a structured process with quality control and only protects against “inadvertant or casual” attacks. Mac couldn’t even make EAL4, so what’s that tell you about their development process and security features?

      Linux’s prime benefit is sandboxing technologies like the Mandatory Access Control. SELinux and AppArmor are the main offerings, I recently discovered SMACK (ultra-simple) and TOMOYO (automated like AppArmor). I’d definitely recommend SMACK for simplicity, especially for server or software appliances. TOMOYO might be useful for quickly creating MAC policies for desktops, esp. those whose software packages don’t change much.

Comments are closed.