Day 0 exploit: Flash, no user interaction required

Jul. 23rd, 2009 08:25 am
solarbird: (pindar-most-unpleasant)
[personal profile] solarbird
There is a newly discovered Flash/Adobe Reader vulnerability with a day zero exploit requiring no user interaction. All you need to do is visit a webpage with Flash on it (and I note that most ads are in Flash) with the exploit. There is no patch at this time.

Aspects of this vulnerability affect all Intel platforms with Flash, Adobe Reader, Acrobat, or other Flash-enabled software packages, including OSX and Linux. The currently-existing exploit has a payload; it is not just proof-of-concept.

eta: By "Intel platforms," I mean, "Intel instruction set platforms." That includes AMD, and is not a fault of the chipset. The exploit runs Intel/AMD instruction set code, so will of course be meaningless on PPC, Alpha, and so on.
  • Current Mood: busy
  • Current Music: Cascadia How I Have Missed You | Crime and the Forces of Evil
Tags:
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2009-07-23 03:35 pm (UTC)
maellenkleth: (81st-ravens)
From: [personal profile] maellenkleth
jeez, thank you, bird! acted on recommendations.

Date: 2009-07-23 03:42 pm (UTC)
ext_366168: (pic#65720871 bugs errors failure)
From: [identity profile] zeightyfiv.livejournal.com
*facepalm* Not again!
Thanks for the heads up. I was looking for an excuse to disable Flash, anyway... c.c

I can't believe Adobe jammed flash into PDF, along with all the other crap they've been shoving in. It's like, wasn't anyone paying attention to the HTML email debacle in the '90s?

So.. yeah. Solution for AR is to delete or rename authplay.dll. Brilliant, guys, you didn't even provide an off switch. Fortunately, AR 8.x and earlier don't appear to be vulnerable.

I wonder if there's anyway to browbeat Adobe into running AR under Vista low integrity in Windows, like protected-mode IE? That's really where such a read-only, (untrustworthy) reader of untrusted documents belongs.

Date: 2009-07-23 03:56 pm (UTC)
ext_3178: a penguin (geek - geeky penguin)
From: [identity profile] penguin-attie.livejournal.com
Ha, I defy anyone to get past my NoScript+AdBlockPlus+CSLite combo. Well actually, the obvious weak spot is me, so no I don't, because I don't want to be paranoid right now.

As long as no one manages to combine it with a clever bit of XSS to integrate it into youtube clips...

Date: 2009-07-23 03:59 pm (UTC)
solarbird: (Default)
From: [personal profile] solarbird
Discussions to which I cannot link indicate that it is extremely unlikely that YouTube videos could propagate the payload, or, even, any payload using this vulnerability. (This has to deal with the YouTube native FLV format and how conversion happens.)

Date: 2009-07-23 04:05 pm (UTC)
ext_3178: a penguin (geek - geeky penguin)
From: [identity profile] penguin-attie.livejournal.com
Actually I was using youtube more as short hand for "flash content I routinely give permission for without thinking", but it's good to know that at least that is safe :)

Date: 2009-08-19 04:16 am (UTC)
foxgrrl: (launch codes)
From: [personal profile] foxgrrl
If there is any way for a user to inject Actionscript code into a YouTube video, then this exploit can be done.

Date: 2009-07-23 04:55 pm (UTC)
ext_3038: Red Panda with the captain "Oh Hai!" (Default)
From: [identity profile] triadruid.livejournal.com
Your post implies that this is Intel-chipset related in some way, but unless I'm misreading none of the security briefings linked to are saying that. What am I too stupid to notice?

Date: 2009-07-23 05:50 pm (UTC)
solarbird: (Default)
From: [personal profile] solarbird
It's Intel (and AMD) instruction set. The existing exploit will not run on PPC, for example.

Date: 2009-07-23 06:04 pm (UTC)
ext_3038: Red Panda with the captain "Oh Hai!" (Default)
From: [identity profile] triadruid.livejournal.com
Gotcha, that was the piece/context I was not getting. Thanks!

Date: 2009-07-24 05:32 am (UTC)
avram: (Default)
From: [personal profile] avram
I'm not seeing anything limiting this to a specific instruction set.

Date: 2009-07-24 06:50 am (UTC)
solarbird: (Default)
From: [personal profile] solarbird
The current exploit delivers Intel instruction set binaries. I'm not saying other exploits couldn't be written - I don't know about that - but the current exploit is Intel instruction setspecific.

Date: 2009-07-24 07:26 am (UTC)
avram: (Default)
From: [personal profile] avram
Ah, OK. So I may be best off shutting off plug-ins anyway, despite having an old PowerBook G4.

Date: 2009-07-24 11:00 am (UTC)
ext_3178: a penguin (geek - geeky penguin)
From: [identity profile] penguin-attie.livejournal.com
But if it drops a binary, is the exploit not also limited to one OS? Or can it detect which system is running and use the appropriate system calls?

Date: 2009-07-24 03:18 pm (UTC)
solarbird: (Default)
From: [personal profile] solarbird
It's possible to write multi-OS exploits and payloads under the right conditions. I do not know that this is one. However, I do know that the vulnerability itself exists across these platforms.

Date: 2009-07-24 03:28 pm (UTC)
ext_3178: a penguin (geek - geeky penguin)
From: [identity profile] penguin-attie.livejournal.com
Yes, but the vulnerability is not dependent on the instruction set either, only the exploit, no?

Ars Technica (http://arstechnica.com/security/news/2009/07/flash-security-vulnerability-exploited-in-pdfs.ars) just said it was only Windows. No idea how reliable they are in this kind of situation though.

Date: 2009-08-19 04:25 am (UTC)
foxgrrl: (launch codes)
From: [personal profile] foxgrrl
All of the versions of this exploit I've seen in the wild were for Windows 2K and up, on x86 instruction sets. Generally no one bothers with anything else unless they're going after a very specific target.

Date: 2009-08-19 04:24 am (UTC)
foxgrrl: (launch codes)
From: [personal profile] foxgrrl
The vulnerability is in the Actionscript VM, so triggering it works on all platforms that Flash runs on, but once you get a hold of the instruction pointer, you need to point it to native code. If you're really clever, you can write shellcode which will decode one way on PPC (for example), and another way on x86. (Easiest just to find a way to jump to native code on one, and be a nop on the other.)

Date: 2009-07-23 05:26 pm (UTC)
From: [identity profile] hubbit.livejournal.com
I just completely cleared my "whitelist" in NoScript. Thanks for the heads-up.

Date: 2009-07-23 05:34 pm (UTC)
From: [identity profile] sunfell.livejournal.com
Intel-based platforms, eh? Should I be glad that I am a die-hard AMD fangirl?

Date: 2009-07-23 05:50 pm (UTC)
solarbird: (Default)
From: [personal profile] solarbird
No. Intel instruction set, which AMD uses.

Date: 2009-07-23 07:06 pm (UTC)
From: [identity profile] westrider.livejournal.com
Well, at least I'm still running an old PPC Machine. Makes me glad for once that I once again couldn't afford to upgrade this year. Thanks for the heads up, though.

Date: 2009-07-23 07:50 pm (UTC)
avram: (Default)
From: [personal profile] avram
Yeah, me too.

Date: 2009-08-19 04:32 am (UTC)
foxgrrl: (launch codes)
From: [personal profile] foxgrrl
The vulnerability is in the Actionscript Virtual Machine - It's platform independent, that's why a single Flash program runs on many architectures. To exploit this vulnerability, you just need to put <25 81 10 25 f8 61 a2 30 60 01> into an Actionscript function somewhere, and fill memory with the native code you want executed (you can do the memory fill from Actionscript). (Ok, that's a bit of an oversimplification, you need to make sure your code is at the right address, but yeah, it's not hard.)

Date: 2009-07-23 10:19 pm (UTC)
From: [identity profile] quen-elf.livejournal.com
awesome! (and yay flashblock)

Date: 2009-07-24 12:44 am (UTC)
From: [identity profile] wiredhound.livejournal.com
I'll ask a dumb question. What does "zero-day exploit" mean exactly?

Date: 2009-07-24 05:27 am (UTC)
avram: (Default)
From: [personal profile] avram
It means attacks have been seen before the software vendor was made aware of the security hole.

Date: 2009-08-19 04:35 am (UTC)
foxgrrl: (launch codes)
From: [personal profile] foxgrrl
Actually Adobe has know about this bug since December 2008. The bug report just says it's a crash, no one there realized that it was exploitable, so it wasn't fixed until just now.

which is why it's being suggested to do untrusted zone browsing on "less exploitatable" systems...

Date: 2009-08-03 11:35 pm (UTC)
From: [identity profile] capybyra.livejournal.com
Doing ^any^ web surfing other than thru totally captive VPN or equal means is arguably "untrusted!" Which means the concept of a Day Zero exploit whacking your 'puter becomes a WHEN. Unless you choose to lower your whackability by whatever means are feasible for you.

MY favorite lowest risk is a computer running Livedistro Linuxes totally in RAM with NO persistent local storage possibility. Yeah, there's the tinfoil hat nags about BIOS/Printer Spool HD's etc or forgetting about your PDA/Phone charging on the USB port as exploit fodder. But in the real world? Booting up from a smallish Distro like Damn Small or Puppy on a machine you've stripped of all persistent memory devices within reason is your "Least Risk" path:>

Defcon and it's familial cons are sadly where many Zero Day exploits get FORCED correction by vendors. Savvy vendors seeking to beat the presentation of the exploit by having a patch in place... And it's a safe bet that many attending Def etc will be physically removing their HD before boarding the plane to NV even:>

But- You're still at risk for all the other information leak/exploits that are not preventable even by running a Ramdisked distro...
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

solarbird: (Default)
solarbird
I'm on Mastodon!

Links

February 2026

S M T W T F S
12 34567
891011121314
15161718192021
22232425262728

Most Popular Tags

Page Summary

Active Entries