Adobe Releases Emergency Patch for Zero-Day Flash Flaws
Kaspersky Labs, the firm who disclosed the flaw to Adobe, said one of the vulnerabilities is being used to steal user credentials.
In response to a Flash exploit being used in the wild, Adobe on Tuesday released a security update for Adobe Flash Player 126.96.36.199 and earlier.
The update addresses vulnerability CVE-2014-0497, which was discovered and disclosed to Adobe by Kaspersky Lab. According to the security firm, 11 SWF vulnerabilities were found connected to the flaw, which could cause arbitrary code to be inserted on a targeted system and be remotely controlled by attackers. However, out of the 11 flaws, only one has been seen to have a working executable file connected with it at the time the patch was issued.
"All of the exploits exploit the same vulnerability and all are unpacked SWF files," said Kaspersky Lab's Vyacheslaw Zakorzhevsky in a company blog post. "All have identical actionscript code, which performs an operating system version check. The exploits only work under the following Windows versions: XP, Vista, 2003 R2, 2003, 7, 7x64, 2008 R2, 2008, 8, 8x64. Some of the samples also have a check in place which makes the exploits terminate under Windows 8.1 and 8.1 x64."
The one executable found to be in active use by attackers allows for additional malicious files to be downloaded to an infected system including Trojan designed to steal login credentials and another file that works as a backdoor to install harmful DLL files hidden in JPEG images.
The firm discovered the exploits on three different machines -- two systems running Windows 7 and one running Mac OS 10.6.8. According to Kaspersky, the SWF files containing malicious code were all found embedded in .docx files with Korean names which, when translated, reads as "List of the latest Japanese AV wind and how to use torrents.docx."
While the names attached to the files were Korean, security experts believe the attacks originated from another location. "The browser used was SogouExplorer, which originates from China, and the mailbox was hosted on 163.com," said Kaspersky. "All of this may be an indication that the .docx document with the 0-day exploit was distributed via a targeted e-mail mailing."
Along with embedding the malicious document in e-mail messages, Kaspersky also found that the malicious .docx was also found in the internet cache of the Chinese Web browser Sogou Explorer.
While active attacks have only been seen in limited use in China, Adobe said that these exploits are designated at the highest priority level ("Priority 1") and "Adobe recommends administrators install the update as soon as possible. (for example, within 72 hours)."