Status Tracking Note TRTA08-149A

Exploitation of Adobe Flash Vulnerability

Overview

A vulnerability that affects Adobe Flash Player 9 is being actively exploited to install malicious software.
Event Information

Date (UTC)Description
2008-05-29 19:13 F-Secure
Inside a Malicious Flash File
F-Secure Weblog : News from the Lab
The lab has been receiving lots of malicious flash files lately. Most of the flash files that we've received have obfuscated shellcodes.
2008-05-29 16:28 Adobe
More information on recent Flash Player exploit
Adobe Product Security Incident Response Team (PSIRT)
Here's some more information about the recent reports of Flash Player exploits in the wild that may help answer some of the questions we've been seeing:
2008-05-29 15:33 IBM Internet Security Systems
AlertCon (2) => (1)
Active Exploitation - Adobe Flash Player RCE: Several reports have stated that a zero-day Flash vulnerability is being exploited through several Chinese hacker websites.
2008-05-29 12:36 Symantec
ThreatCON (2) => (1)
A recently discovered vulnerability affecting Adobe Flash Player is being leveraged in the wild. Avoid untrusted sites and install Flash 9.0.124.0 immediately.
2008-05-29 01:15 JPCERT/CC
JPCERT-AT-2008-0009: Vulnerability in Adobe Flash Player
2008-05-28 22:03 US-CERT
TA08-149A: Exploitation of Adobe Flash Vulnerability
Technical Cyber Security Alert published
2008-05-28 17:16 SANS Internet Storm Center
Another example of malicious SWF
Handler's Diary
A new variant on the theme of SWF files being found in the wild. This ones uses encoded VBScript to deliver. A google search for www.chliyi.com gives us over 5,000 hits! The likely method of getting the malcious scripts on these web servers is SQL injection, check your code regularly.
2008-05-28 17:16 F-Secure
Flash w/ SQL
F-Secure Weblog : News from the Lab
There are reports of a critical vulnerability affecting current versions of Adobe Flash and evidence of it being exploited in the wild. Versions including and previous to 9.0.124.0 are reported to be at risk.
2008-05-28 16:57 SANS Internet Storm Center
Followup to Flash/swf stories (Version: 2)
Handler's Diary
We've received quite a bit of mail about our stories yesterday about the malicious SWF files attempting to exploit older versions of the Adobe Flash player.
2008-05-28 15:55 McAfee
Flash Player Exploit Update 2
Computer Security Research - McAfee Avert Labs Blog
Last night our researchers identified similarities between the recent Adobe Flash exploits and a known (patched) vulnerability: CVE-2007-0071.
2008-05-28 11:09 Adobe
Potential Flash Player issue - update
Adobe Product Security Incident Response Team (PSIRT)
Here's an update on our progress investigating the recent reports of a potential Flash Player exploit in the wild. The exploit appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 9.0.124.0 (CVE-2007-0071).
2008-05-28 05:14 JPCERT/CC
JPCERT-AT-2008-0009: Zero-day vulnerability in Adobe Flash Player
2008-05-28 04:02 Trend Micro
Flash Bugs Exploited in Latest Mass Compromise
TrendLabs | Malware Blog - by Trend Micro
2008-05-28 Trend Micro
SWF_DLOADER.YVN
Code execution vulnerability (CVE-2007-0071)
2008-05-28 Trend Micro
SWF_DLOADER.YVM
Code execution vulnerability (CVE-2007-0071)
2008-05-28 Trend Micro
SWF_DLOADER.ZTS
Code execution vulnerability (CVE-2007-0071)
2008-05-27 22:44 US-CERT
Adobe Flash Player Vulnerability
US-CERT Current Activity
US-CERT is aware of public reports of a vulnerability in Adobe Flash Player. By convincing a user to open a specially crafted Flash file, a remote, unauthenticated attacker may be able to execute arbitrary code. Public reports indicate that this vulnerability is being actively exploited.
2008-05-27 20:34 Symantec
ThreatCON (1) => (2)
A previously unknown and unpatched (zero-day) vulnerability affecting Adobe Flash Player has been discovered in the wild. Avoid untrusted sites and disable Flash until patches are available.
2008-05-27 19:52 McAfee
Flash Player Exploit Update
Computer Security Research - McAfee Avert Labs Blog
Here's a quick update to the earlier post on a new unpatched Adobe Flash vulnerability. Through looking for sites serving these SWF exploits we've found a connection with recent mass hacks.
2008-05-27 18:46 SANS Internet Storm Center
Malicious swf files? (Version: 2)
Handler's Diary
A potentially malicious site found
2008-05-27 18:12 SANS Internet Storm Center
Adobe flash player vuln (Version: 2)
Handler's Diary
A vulnerability has been reported in Adobe Flash Player versions 9.0.124.0 and older, which is the current version available for download now. Adobe has not yet released a patch nor an official advisory.
2008-05-27 11:05 Adobe
Potential Flash Player issue
Adobe Product Security Incident Response Team (PSIRT)
Just a quick note to say we are aware of today's report of a potential exploit involving Flash Player in the wild. We are working with Symantec to investigate the potential SWF vulnerability, and will have an update once we get more information.
2008-05-27 09:58 Shadowserver
When Adobe Flash Attacks
Here's an update on our progress investigating the recent reports of a potential Flash Player exploit in the wild. The exploit appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 9.0.124.0 (CVE-2007-0071).
2008-05-27 Symantec
Trojan.Emifie
Code execution vulnerability (CVE-2007-0071)
2008-04-08 Adobe
APSB08-11: Flash Player update available to address security vulnerabilities
The newest version 9.0.124.0
Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. It is recommended users update to the most current version of Flash Player available for their operating system.

Reference

Date first published (UTC): 2008-05-31T15:09+00:00
Date last updated (UTC): 2008-05-31T15:09+00:00
Valid HTML 4.01!