April 11, 2011

Attackers are exploiting a previously unknown security flaw in Adobe’s ubiquitous Flash Player software to launch targeted attacks, according to several reliable sources. The attacks  come less than three weeks after Adobe issued a critical update to fix a different Flash flaw that crooks were similarly exploiting to install malicious software.

According to sources, the attacks exploit a vulnerability in fully-patched versions of Flash, and are being leveraged in targeted spear-phishing campaigns launched against select organizations and individuals that work with or for the U.S. government. Sources say the attacks so far have embedded the Flash exploit inside of Microsoft Word files made to look like important government documents.

Adobe spokesperson Wiebke Lips said the company is currently investigating reports of a new Flash vulnerability, and that Adobe may issue an advisory later today if it is confirmed.

On March 11, Adobe issued a critical update to fix a security hole in Flash that it had earlier said was being attacked via malicious Flash content embedded in Microsoft Excel files. It’s not clear how long attackers have been exploiting this newest Flash flaw, but its exploitation in such a similar manner as the last flaw suggests the attackers may have a ready supply of unknown, unpatched security holes in Flash at their disposal.

Update, 3:57 p.m. ET: Ever wonder what anti-virus detection looks like in the early hours of a zero day outbreak like this? A scan of one tainted file used in this attack that was submitted to Virustotal.com indicates that just one out of 42 anti-virus products used to scan malware at the service detected this thing as malicious.

Update, 4:10 p.m. ET: Removed advice about deleting or renaming authplay.dll, which several readers (and now Adobe) have pointed out is specific to Adobe Reader and Acrobat.

Update, 5:05 p.m. ET: Adobe just released an advisory about this that confirms the above information.

58 thoughts on “New Adobe Flash Zero Day Being Exploited?

  1. Technocrat

    I believe Authplay.dll is part of Reader and Acrobat. Each have their own embedded Flash Player intself of them.

    If this matches the previous XLS/SWF case, the SWF in the office file will be rendered in the Flash Player Browser Plug-in…which is seperate from Reader/Acrobat.

    1. BrianKrebs Post author

      Yep. You are correct. I heard the same from Adobe. Have updated the post above to remove that advice, along with a note about the change. Thanks.

  2. drzauisapelord

    I always curious about the one or two products on virus total that seem to always catch everything. How bad is Commtouch’s false positive rate?

    1. JCitizen

      Better yet, I wonder which product it is? I can live with false positives, as long as the utility allows me to quarantine and/or ignore.

    2. Avi

      In the most recent Virus Bulletin comparative AV test, Commtouch had zero false positives.

  3. finack

    “Disentangling Industrial Policy and Competition Policy.doc”

    Pretty fascinating how we are occasionally provided a close to real-time window into espionage programs these days. Half a century ago the ability of the general public to glance into the who and what usually took 20-30 years if it arrived at all.

  4. drzauisapelord

    Has this been tested in Chrome with its sandboxed Flash?

    I’m really bothered by the fact that the industry hasn’t moved more on sandboxing. Win7/Vista provides native sandboxing capabilities for developers to build on. The idea that my browser is willing to run content on plugins with native credentials (even limited) is crazy. Even with sandboxing its still a little crazy.

    This is why I love Chrome. I simply don’t run Java and Chrome runs minimal plugins and of course its flash and pdf is sandboxed and auto-updated. Heck, Google even patches Adobe Flash on its own. I believe via the sandboxing layer, but I’m not certain.

    Browser makers, please start taking plugin security seriously.

    1. Peter

      From what I have read the challenge to sandboxing, particularly in Acrobat/Reader X is not all of the applications those products interact with handle the sandbox very well. Reality is if the sandbox causes business applications not to fuinction properly the sandbox goes out the door.

      1. JCitizen

        Also, sandboxes don’t play well with Windows x64 kernel.

        1. drzauisapelord

          Is there a cite for this? I’d love to read more about this if its true.

          1. JCitizen

            I’ve always been told that is the reason Chrome won’t install on Vista x64 – that the sandbox won’t work in the x64 kernel patch guard. I don’t have a link, but Avast won’t install its sandbox in standard accounts either. Instead it evokes some kind of Citrix/Novell type desktop built on Chrome, that takes over the whole session and runs in the fore-ground. Don’t ask me how they do it, but when it is running the Windows desktop is gone.

            Comodo’s sandbox is very unstable but only runs on Administrator accounts, if my memory serves me well.

          2. JCitizen

            I meant that to read “on standard accounts” for Chrome installation there drzauisapelord.

      2. drzauisapelord

        I’m not too worried about what “business” thinks. This is the same “wisdom” that told us that we couldn’t have a lot of things we now take for granted (priv seperation, frequent password changes, encryption, etc) because its costs time or money.

        Sandboxing itself shouldn’t be limiting. If you write your broker process properly you can do whatever you need.

  5. Brian

    Can we get a sample of this? It’s crucial to reverse this at once, I’m not waiting a month for another patch.

    1. nojob

      hi, can you send me a sample if you get it? I want to know how they can do it. it’s a bad and great thing.

  6. Maureen

    I love Chrome. But I have a question about downloading for IE (since I have to use it for some sites here). I have filehippo on my tool bar, and it tells me when Adobe has flashplayer beta versions (10.3…) available for IE. Should I be downloading those, or are those only for people testing it for websites? (My gut tells me not to, but I want to make sure.)


    1. drzauisapelord

      I wouldnt play with betas unless you have a reason to do so. They’re behind on security updates, break things, and sometimes muck up the update process to the proper non-beta version.

    2. CloudLiam

      The next time you run FileHippo uncheck “Show Beta Versions” and you won’t see those anymore.

  7. DeborahS

    I’m not sure if someone else has said this already or not, but it turns out that the RSA breach that may compromise SecurID tokens was initiated by a spear-phishing attack in which Excel attachments to email contained malware exploiting a Flash hole.

    cnet wrote this up last week:

  8. Charlie Griffith

    Here’s a layman’s experience this evening trying to view GoogleNews video clips…

    I can’t via IE9 but I have no problem viewing them via the current, up to date Firefox……even with a split screen with IE9 on one side and Firefox right beside it using the current, up to date Windows 7.

    Why do I mention this amidst all of the technical-back-and-forth here?

    Because in troubleshooting this inability with IE9 I was repeatedly told via a pop up window to download the latest version of Adobe Flash Player. When I attempted to do that another popup said during the downloading process that the current download was incomplete, with of course, no further explanation. Further checking indicated that I’d already had the “latest” version of Adobe’s Flash Player…..even though I was admonished via Adobe’s own popup to download the “latest” version.

    I don’t have to say that this circular BS is enough to drive me up the wall if I’d continue this endless troubleshooting. So I stopped.

    Then, scanning my email, I saw Brian Krebs’ posting here on this subject and thought that even though I don’t use “Word” or related programs, nor do I surf Government programs, maybe I’m infected. Forums on IE9 are no help….just more circular stuff.

    For any who’ve read this far, I’d be grateful for any suggestions in grammar school English as to how to do this simple thing. I don’t mean to sound snarky, but I’m truly fed up with these onionskin layers of complexity I’m fruitlessly exploring…..one by one.

    Does paying twice as much money for an Apple PC solve all of this BS? I’ve been led to believe this may be the answer.
    Should I simply forget this latest “issue”? ….and simply use Firefox?

    1. Charlie Griffith

      Waste no time on my own Adobe problem just above….I found the answer right here:

      …….”http://forums.adobe.com/people/cnfrisch-DiV1B6;jsessionid=1EF088523F1C6EE7030F8B9AF7E79975.node0″ ……

      …apparently wholly unrelated to this topic.

      Sorry to have made the posting……

      1. Terry Ritter

        @grumpy: “The short answer to “Will getting an Apple make me secure?” is: no.”

        Really? From the first page of the cited article: “At present, a Mac with Snow Leopard is the safer option primarily due to its market share being well below Windows 7’s.”

        And the Win7 share will continue to grow.

        So, with respect to malware security only, that “no” should be: YES!

        1. JCitizen

          Should have read “totally safe” no, safer maybe.

          1. Terry Ritter

            @JCitizen: “Should have read “totally safe” no, safer maybe.”

            I am happy to go with “safer.” Statistical benefits do not extend to directed attacks. But the massive statistics DO apply to most ordinary users. For the usual case, the more correct answer would be “vastly safer.”

            The point is that what was claimed in the cite was false. Do you not get the problem with misrepresenting the content of a cite?

    2. Al Mac


      When admonished by a pop-up from some vendor, to download latest whatever, how do you know the pop-up is really from the vendor it claims to be from, and what you’re downloading is really what it claims to be?

      If you were really downloading from the real McCoy, quality patching should be good enough, so it can tell if you already have the latest, and not have pop-ups in the middle of the patching, that interfere with the patching. Unfortunately many vendors do not have a quality patching process.

      1. Charlie Griffith

        Al Mac….
        Re: your ….”how do you know the pop-up is really from the vendor it claims to be from, and what you’re downloading is really what it claims to be?”

        Yikes! You didn’t know that I’m Mr Paranoia. I’d’ve made a great Director of Lubyianka’s Office of Lurking.

        I think the answer to all of this is that there is no answer, and due diligence and caution are to be applied when looking at potential downloads. I attempt this with great care. Hence my frustrated rant earlier. Informed judgement can be hard to come by. Boot up the machine….and something doesn’t work….why?

        At a local “Help” counter where one of the staff confided to me, off the record, that he thought that these MS programs are needlessly complex, confirmed my own lay conclusion that these Monthly Tuesday Corrections shouldn’t be necessary. But the reality remains that they’re a fact of life, and seem to be regularly….anticipated. Why is this if not due to too much complexity? Where is the briliance to solve this, when brilliance seems to be so abubdant out there on the West Coast? Yet another circular aspect of this medium.

        So the onus seems to be on Hewlett Packard,(?) Dell (?) and the actual computer machine makers to collaborate more intimately with M/S’s engineers/programmers at each stage of any “advance”, and maybe these frustrations of mine….multiplied by zillions worldwide would evaporate.

        We zillions of meek users being used should arm ourselves with pitchforks and barrels of very hot tar……but where to attack? Who to subpoena and indict?

        There’s a whole industry of folks fighting the results of this complexity; there are legions of forum-discussions-comment of the most minute aspects of all this, and yet nothing seems to be accomplished.

        Why not?

        1. JCitizen

          I suspect ALL popups; if in doubt open the application and see if their is actually an update available. I must admit, I get careless when I see File Hippo popups, but then I don’t click on them, I simply log off the standard account and go into the Administrator side to do the patching.

          Secunia PSI seems to do this automatically most of the time. It is an amazing piece of work!

    3. Datz

      Why not use Ubuntu. It is free and safe; and fun to use, as my daughter says.

      1. prairie_sailor

        Any OS is only “safe” as long as it stays below the threshold of low usage – as soon as large numbers of people start using any OS the hackers will start actively looking for the flaws in the system and exploit them heavily – profit knows no boundaries.

        1. Al Mac

          OS safety is also related to avenues for malware and hackers to connect to it.

          Most of my career I have worked on IBM-OS used for medium sized corporations. We can go for years without needing any patches. It is a different environment, where security is included from the very beginning, without the kinds of problems that other OS have because security was an after-thought.

          However, because it is well known that IBM-OS are like a bank vault, most corporate managers don’t take security seriously, and insist on corporate practices which are the equivalent of leaving the bank vault doors wide open, no one watching who is coming or going, leaving the doors to the bank unlocked, and no burglar alarm.

          1. JCitizen

            If for no other reason, using Windows is using a battle tested operating system. It may not be coded as well as the typical FOSS distro, but then the capability to do specialized work makes it an imperative in my world.

            To me, Win7 is a predictable threat. I can almost smell trouble when using it, whereas when using a FOSS solution, I always have that nagging feeling that something is slipping past my attention. Call it paranoia, because it is; but I feel safer with an MS OS because of the blended defenses I can put on it, and the predictability of the behavior I can detect.

            If I had been using FOSS for years I would probably feel the same way with it, but FOSS solutions have never come up with apps that work in the automated control industry – they may make the occasional app, but I need interoperability with multiple brand technologies, and Windows IS the only solution for those.

  9. brucerealtor

    Perhaps a bit off topic, since Flash obviously has nothing to do with the multiple issues being experienced by your former employer, the washington post, regarding posting of comments in their comments section .

    Nevertheless, numerous individuals are able to post comments, so I wonder if you have ANY IDEA why some can post [who can log in] and others can’t ???

    The comments section of the NY Times doesn’t seem to be having difficulties.


  10. Jim J.

    Reading through the material at the end of the link provided by “grumpy” and many previous hacker/exploiter/skimming, etc, sites. Seems that computer related crime can be promoted, bragged about, and detailed without fear from law enforcement. The stubble irony is some, if not many, top computer hackers (criminals) are employees of security or software development companies. In addition, A few receive big bucks and prizes for their speaking circuits. Would not make fame or monetary sense to give up their criminal activities in cyberworld for a ho-hum honest job.

  11. Jane

    How is anyone being “phished” with a Word document? All the real documents are PowerPoint.

    1. JCitizen

      Let me guess – you are a “power user” – we got rid of those positions at my last contract. Nope – don’t need ’em. Their are administrators, and users, and that is it.

      Never had a security problem after that move.

  12. Jim E

    So do I uninstall Flashplayer until it’s fixed????
    AND, ever since the Epsilon thing, I am getting multiple emails telling me I’ve inherited millions all from different sites. Anyone else getting more of those, too?
    But at least it’s Sunny in Wisconsin and we missed 4 tornadoes by less then 5 miles so I guess these bogus emails are the least of our concern at the moment.

    1. JCitizen

      Dear Jim E;

      As for me personally, I don’t uninstall flash, as I primarily use Mozilla, and keep No Script in force, and don’t get click happy on any site or email.

  13. Doug

    You still have to open the obviously bogus attachment to get infected…so once again, your own common sense has to come into play….simply don’t open attachments and you will just about completely mitigate getting infected from your emails. Now browsing the web is another battle…

  14. Jim E

    Doug….the email getting all of these is “Fastmail.FM” which took over for “OperaMail” very recently. It’s index for each email also shows the first part of the enclosed message without my opening it so it’s easy to tell what it’s about. Since my earlier note, I just won 500,000 pounds so these guys are really active (yes, I know it’s all automated) but I wish I could respond somehow with 500,000 emails back to them that all say, “NO THANKS, KEEP IT ALL AND START A NEW @##$in’ LIFE!”

  15. susan

    Is opening suspicious emails in Thunderbird print preview safe?

    1. DeborahS


      I’m not familiar with Thunderbird, but as a general rule it’s not safe to open suspicious emails in preview mode. If your email reader can render HTML in the preview window, it can probably execute Javascript, PHP or other code embedded in the message. If you know that your email reader disables all code of any kind from running, you’re a little bit safer, but any images embedded in the message, whether you can see them or not, will leave entries in the domain logs of the image hosting domain. So they’ll know that you opened the email and they’ll have your IP address plus whatever encoding they may have put in the link to the image. Sometimes they’ll put your email address in the image link, or a hash that locates your record in their database.

      Generally I don’t open suspicious emails at all. In Outlook I can save messages to a text file without opening the message, and that’s what I do if I’m not sure if the message is one that I should open. Then open the text file in Notepad, because no code embedded in HTML will execute from Notepad. If it’s an HTML message you have to wade through the HTML to find actual text, but if I can’t find any readable text I delete it as spam. If there is readable text then I can see whether it’s something I want to open and look at. Normally I don’t have to do this very often, but it works quite well in those few instances where I really can’t tell from the sender, subject and headers.

      You should also be able to look at the email headers without opening the email. I don’t know how you would do this in Thunderbird, but probably there is a way. Since email headers can be spoofed, seeing a trusted sender is no guarantee that the email is safe, but if you see typical spammer gobbledtygook for sender & domain names, that’s usually all you need to know. Delete it right now! Or better yet, what I do is move all the spam to a folder that I can’t easily access, so I don’t accidentally click on it, and then clean out the spam folder once a week (when I’m alert and paying attention), permanently deleting them all.

      Hope this helps

      1. Doug

        FYI, in Thunderbird, to view the headers and complete information, you highlight the email in question so it turns blue, then you goto the Menu Bar. Click View – Message Source. All the info you could ever want is there.

        Also to Susan, I assume you have the Message Pane disabled. (View – Layout – Message Pane)
        Then to safely view an email, you’d do a print preview.

        I tested this and yes, it does seem to be “safe” as it does not execute anything within the email body or open attachments or the like. But unfortunately you can never be to cautious and I’m sure hackers have found a flaw in the way Print Preview handles email that they can do something bad I’m sure.

    2. Doug

      Personally I don’t know, but as a general practice, why would you even want to do that? If you receive an email whether personal or business, that is not from someone you personally know or some other business function, why do you even care to look at it?

      I use Gmail, and so far I get maybe a handful of emails per month that Google’s spam filtering misses that end up in my inbox. I also get lots of other mailing list type messages that I quickly skim through, then just do a Select All – Delete….no fuss, no muss.

      If you are suspicious of an email, even if from a friend or person you know, give them a call to confirm they did in fact sent you that email. Otherwise, if you aren’t that close to have their number, then they are not important enough to risk opening whatever stupid email joke, chain letter, funny video, inspirational quote, etc….just delete it.

      When I do my testing of opening attachments I do it in a virtual machine, even though that is not as safe as it once was, but so far I have had no trouble doing virus testing this way.

  16. andy1

    This got me thinking – is there a way to disable flash in Office? Wouldn’t it be an easy layer of security to add?

    1. BK

      Remove Flash Player (active-x) for IE…and quit using IE 🙂 See F-Secure blog.

  17. Ron Blackwell

    I think Google just updated its embedded version of Flash Player for the Chrome browser. After updating the browser, I’m now showing version 10,2,154,27.

  18. Jim J.

    Adobe updates really suck. Seems they pull all stops in order to make updating as painful as possible.

    I used their manual update which included the old flash uninstaller. However, the update failed to install during each attempt. Now, I get the nag to install flash here on Krebs, Which I click and the install returns a not installed error message.

    Will probably need a restore point to retreive the old player.

  19. Jim Evans

    My Chrome has also updated itself. Qualsys browser check is now reporting that the Flash for my Firefox is out of date.

    However on Adobe Flash check page, they are reporting the old version as current.

    Brian, can you confirm?

    1. BrianKrebs Post author

      Hi Jim. Google is pushing out new versions of Flash automatically through Chrome before Adobe issues them to the general public. So, yes, you probably already have the update that Adobe will release later today for this vulnerability if you’re using Chrome.

Comments are closed.