Adobe Flash Attacks Underway; Harden PDF Reader Immediately

Malicious hackers have found a new vulnerability in Adobe’s ever-present Flash software and are using rigged PDF documents to launch exploits against Windows targets.

The Adobe Flash Player flaw, which is currently unpatched, affects millions of Windows XP and Windows Vista users.  Adobe has acknowledged a “potential vulnerability” but, inexplicably, has not seen it fit to warn of the zero-day attacks or issue pre-patch mitigation guidance to tens of millions of its customers.

Malicious hackers have found a new vulnerability in Adobe’s ever-present Flash software and are using rigged PDF documents to launch exploits against Windows targets.

The Adobe Flash Player flaw, which is currently unpatched, affects millions of Windows XP and Windows Vista users.  Adobe has acknowledged a “potential vulnerability” but, inexplicably, has not seen it fit to warn of the zero-day attacks or issue pre-patch mitigation guidance to tens of millions of its customers.

Here is Adobe’s only communication so far:

Adobe is aware of reports of a potential vulnerability in Adobe Reader and Acrobat 9.1.2 and Adobe Flash Player 9 and 10. We are currently investigating this potential issue and will have an update once we get more information.

Instead, word of the attacks have started to drip out from security companies monitoring the Web for malicious activity.

From Symantec:

Recently we came into possession of an Adobe Acrobat PDF file that upon opening drops and executes a malicious binary. It was quite clear that this PDF was exploiting some vulnerability in order to drop its payload. And, during the analysis it soon became apparent that this vulnerability was not one we had seen in the wild before. What was even more surprising was that this vulnerability affects Adobe Flash — not Adobe Reader as we initially suspected.

… The authors of the exploit have managed to take a bug and turn it into a reliable exploit using a heap spray technique. Typically an attacker would entice a user to visit a malicious website or send a malicious PDF via email. Once the unsuspecting user visits the website or opens the PDF this exploit will allow further malware to be dropped onto the victim’s machine. The malicious PDF files are detected as Trojan.Pidief.G and the dropped files as Trojan Horse.

My colleagues at Kaspersky Lab have confirmed the zero-day nature of the attacks, which take advantage of a feature available in Adobe Acrobat: embedded Adobe flash objects in PDF documents.

In the current case, targeted attacks with Chinese-language PDF documents, the Flash exploit is fitted into a clean Adobe PDF file.   If the target’s browser allows opening PDF as embedded objects or user agrees to download and open the file with the local viewer — he gets hit with malware.

There is evidence that at least one of the exploits was created on July 2, 2009.

In the absence of mitigation guidance from Adobe, here is my recommendation: Disable Flash in Acrobat Reader or disable embedded objects your current browser.

In Adobe Reader, click on Edit > Preferences Settings >Multimedia Trust -> Permission for Adobe Flash Player -> Set drop down to “Never” or “Prompt”  (click image for full size).

In the comments below, Adobe’s Brad Arkin points out that my recommendation falls short of providing adequate security in the face of these attacks.

Arkin writes:

 

The steps that you highlight in this post disable how to use the “legacy” approach. The legacy approach uses the Flash Player installed on the machine to play SWFs. The second approach for viewing SWF content in Adobe Reader and Acrobat v9.x leverages a bundled component called authplay.dll. The sequence of User Interface steps that you describe in this post DO NOT disable the authplay.dll approach for viewing SWFs.

The official mitigation guidance from Adobe is to delete, rename or remove access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x:

Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF that contains SWF content. Depending on the product, the authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:Program FilesAdobeReader 9.0Readerauthplay.dll or C:Program FilesAdobeAcrobat 9.0]Acrobatauthplay.dll. Windows Vista users should consider enabling UAC (User Access Control) to mitigate the impact of a potential exploit. Flash Player users should exercise caution in browsing untrusted websites. Adobe is in contact with Antivirus and Security vendors regarding the issue and recommend users keep their anti-virus definitions up to date.

News of the latest attack comes just days after the software maker fessed up to shipping insecure versions of its PDF reader on the official Adobe.com download location.

 

Suggested articles