Adobe Vulnerability Targeted in Drive-by Attacks

A new zero-day vulnerability affecting Adobe's Flash Player software is being targeted by attackers via drive-by downloads. Here is some advice on mitigating the vulnerability.

Adobe Systems is working on a fix for a bug in its Flash Player software that has come under attack.

Adobe first warned about the vulnerability July 21, then issued an updated advisory the following night. The issue affects current versions of Flash Player on Windows, Mac and Linux platforms, as well as the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for all three operating systems.

According to the U.S. Computer Emergency Response Team (US-CERT), an attacker can trigger an overflow by tricking a user into opening a malicious Flash (SWF) file that is either hosted or embedded on a Web page or contained within a PDF file. The end result is the attacker could trigger a crash or take full control of a vulnerable system.

"There are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows," according to a post on the Adobe Product Security Incident Response Team blog. "We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009 (the date for Flash Player v9 and v10 for Solaris is still pending). We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh, and UNIX by July 31, 2009 ."

While users wait for a patch, the company advised users to delete or rename the authplay.dll file, but warned that users will experience a non-exploitable crash if they open a PDF file with SWF content. Those using Windows Vista can also mitigate the attacks with the User Access Control (UAC) feature.

US-CERT posted its own instructions on deleting authplay.dll here.

Reports of attacks targeting the vulnerability surfaced earlier this week. In addition to the malicious PDF files, there are reports that Websites are being compromised to deliver the exploit via drive-by attacks as well.

"At the moment there (are) a low number of malicious sites serving the exploit, but we confirmed that the links have been injected in legitimate Websites to create a drive-by attack, as expected," according to SANS Internet Storm Center.

The widespread use of Flash makes any exploits targeting the software particularly deadly and means the bug should not be taken lightly, opined Symantec researcher Patrick Fitzgerald.

"Most vulnerabilities are confined to one technology; for example, a vulnerability may affect a particular browser or a particular operating system, but it is rare for a vulnerability to span multiple platforms and products," he blogged. "This is not the case with Flash. Flash exists in all popular browsers and is also available in PDF documents...[and] has become an integral part of the modern browsing experience-becoming so ubiquitous that most users don't even notice it."