Google has reacted very quickly to the news this week of a new vulnerability in Adobe Flash and on Tuesday released a new version of Chrome that includes a fix for the Flash bug. Adobe said it plans to have its own fix ready for the flaw next week.
The new version of Chrome that Google released hit the streets just a day after Adobe announced the Flash bug in a security advisory. The vulnerability is in the Adobe Flash Player and it also is present in the company’s Reader and Acrobat applications. Adobe officials, as well as researchers at other security companies, said that the Flash bug is being used in targeted attacks that use an Excel spreadsheet containing a malicious SWF file.
“There are reports that this vulnerability is being exploited in the
wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft
Excel (.xls) file delivered as an email attachment. At this time, Adobe
is not aware of attacks targeting Adobe Reader and Acrobat. Adobe
Reader X Protected Mode mitigations would prevent an exploit of this
kind from executing,” Adobe security officials said in their advisory.
On Wednesday, researchers at FireEye said that the malware being used to exploit the Flash vulnerability is somewhat primitive, but that it is preying on the tendency of users to open innocent-looking files. The malware is essentially a Trojan downloader, which FireEye is calling Linxder, that downloads and installs a series of components, including an Excel file that appears to be a legitimate document that may have been stolen at some point and rigged with the malicious SWF file.
“If you take a closer look into the contents you might guess who might
be the targeted users. But that’s not the end of it. If one looks into
the meta data associated with this excel file, there is some
interesting information which can lead us to the history of this excel
file,” Atif Mushtaq of FireEye, wrote in an analysis of the Linxder malware.
Mushtaq found metadata in the Excel file that suggests it was originally created in 2003 by a college professor and the modified and loaded with the malware by someone who is a known member of the Chinese hacking underground.
“One can see that last saved date (3/8/2011) is very close to the
known release time of this attack. Apparently it looks as if this file
was last saved on a computer having logged-in username as ‘linxder’.
Who is this linxder? My colleague Darien pointed me to few links on
google that tells us that a guy named ‘linxder’ is a known Chinese
threat actor. This guy is an old-school hacker that has a fairly
expansive social network,” Mushtaq wrote.
“If one searches linxder’s baidu profile, we can see that he talks a
ton about weaponizing flash containers in other file formats, which is
exactly what happens in this attack. Based on this evidence it can be said with a reasonable confidence
that the Chinese hackers are the master minds of this attack. Although
it’s also possible that some rival group is trying to mislead the world
by wrongly involving linxder in this matter.”