Monday, April 11, 2011

Adobe Warns of New Flash Player Zero-Day Attack

Via ZDNet (Zero Day Blog) -

Attackers are embedding malicious Flash Player files in Microsoft Word documents to launch targeted attacks against select businesses, according to a warning from Adobe.

This latest Flash Player zero-day attack comes just weeks after EMC’s RSA Division was hit with a malware attack that used a rigged Flash (.swf) file embedded in a Microsoft Excel document.

In both cases, the attacks are being used to steal corporate secrets.

Here’s the gist of the latest Flash Player zero-day....


The following blog was written by Microsoft after the last Flash 0day (CVE-2011-0609) was being exploited via Excel files. Given that this new attack (CVE-2011-0611) is using Word (.doc) files, many of the recommendations outlined by the SRD team will be relevant.

Microsoft SRD: Blocking Exploit Attempts of the Recent Flash 0-Day
  • Ensure Data Execution Prevention security mitigation (DEP) is enabled for Office and for your browser of choice (IE, Firefox, etc).
  • Install and configure the Enhanced Mitigation Experience Toolkit (EMET). Turning on EMET for the core Office applications will enable a number of security protections called security mitigations. Since Flash Player can also be hosted in a web browser, you may wish to turn on EMET for the browser you use (IE, Firefox, etc).
  • Beyond EMET, there is a workaround that Office 2007 users can use to prevent the Flash Player (as well as other ActiveX controls) from loading inside an Office application. This is done by changing the ActiveX setting in the Trusted Center to “Disable all controls without notification”. The ActiveX setting in the Trust Center can also be set via group policy or registry. For more information, please refer to “Security policies and settings in the 2007 Office system”.
  • Sadly, not everyone is running Office 10, so If you are running Office 2003 or 2007, I would recommend installing the Microsoft Office Isolated Conversion Environment (MOICE). MOICE takes a potentially risky binary file type and convert it within a sandboxed process to the new XML format (much safer) and then back to the binary format and opens it. The hope of doing this conversion was to remove any exploit code that was hidden away within the file.

Possible DEP and ASLR Bypass
I hear this attack works in Windows 7, so it sounds like it can bypass both DEP and ASLR - which is more advanced than the previous zeroday exploitation via XLS.


Mila Parkour has posted a very informative blog on this new 0day...

No comments:

Post a Comment