Multimedia tools developer Adobe stated on Tuesday in a brief blog post that the company is investigating reports of a previously unknown vulnerability in its Flash software, after it received evidence that attackers are using malicious Flash files to compromise computers.
The exploit -- first reported by security software company Symantec, the owner of SecurityFocus -- appears to be fairly widespread. The original Symantec report indicates that nearly 20,000 pages are hosting malicious Flash (SWF) files, while antivirus firm McAfee points out that Google returns nearly a quarter million search results for the attack's telltale code.
"Through looking for sites serving these SWF exploits weve found a connection with recent mass hacks," Craig Schmugar, senior antivirus researcher for McAfee, stated on the company's blog. "Hacked sites reference an external script, just as they have for quite some time. But, the external scripts now reference an SWF file."
Security researchers and malicious attackers have increasingly focused on finding flaws in the ubiquitous Adobe Flash Player. Late last year, a Google researcher warned that flaws in the authoring tools that create Flash files had led to widespread cross-site scripting vulnerabilities. Adobe and other tool developers fixed the issues, but Web site owners must still rebuild all their Flash files to eliminate the vulnerabilities. Adobe also upgraded its Flash Player to add security features, warning that the changes would break some functionality.
In the latest incident, the malicious Flash files attempt to install an obfuscated download program on victims' computers. The downloader will then attempt to install a known password stealer, although the detection of the components of the program are spotty among the different antivirus programs, researcher Dancho Danchev stated in a blog post. Danchev recommended that administrators block 15 different domains that appear to be hosting the malicious code.
"It could have been worse, as 'wasting a zero day exploit' affecting such ubiquitous player such as Adobe's flash player for infecting the end users with a rather average password stealer is better than having had the exploit leaked to others who would have have introduced their latest rootkits and banker malware," Danchev stated on his blog.
Adobe has posted its statement on its Product Security Incident Response Team (PSIRT) blog.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos