Network News

X My Profile
View More Activity

Exploit In-the-Wild: Patch Your Flash Player Now

If you have not yet applied the patch that Adobe released last month to plug security holes in its Flash Player, do not procrastinate further: Security experts warn that a growing number of Web sites are using Flash vulnerabilities to install password-stealing software when users visit them with unpatched Web browsers.

It's not entirely clear whether the attackers are taking advantage of a brand new flaw, or one that Adobe already fixed.

Symantec, McAfee, the SANS Internet Storm Center and some independent researchers raised the alarm on Tuesday, indicating that hackers were exploiting a previously undocumented and unpatched flaw in Flash.

Further analysis of the sites distributing the malicious code suggests that the attack does not work against the latest version of Flash for either Internet Explorer or Firefox. So, users with the latest version of Flash should be protected from this attack.

Symantec's initial writeup clashed with the conclusions I heard about Tuesday afternoon from researchers at Reston, Va., based iDefense. Matt Richard, director of rapid response for iDefense, told me the exploit appears to mimic a method written about in a white paper published last month by Mark Dowd, a researcher at IBM's Internet Security Systems.

Symantec updated its initial advisory late Tuesday evening, to confirm that the bad guys indeed appear to have adopted the technique Dowd described. But Symantec says it is still working with Adobe to identify the precise details, "due to the fact that we have observed the malicious files affecting patched versions of Flash, suggesting it may be a variant or incorrectly patched."

Richard said it looks like attackers first started exploiting this Flash flaw as early as May 24, and that the number of Web sites (both malicious and hacked) hosting or pointing to sites hosting the code is multiplying quickly.

A spokesperson for Adobe declined to comment for this story, except to say the company was working with Symantec to investigate the vulnerability and that Adobe would likely have more details to share later today. I'll update this post in the event they release anything substantive.

For now, even if you think you already patched your browser with the latest Flash update -- it's a good idea to go ahead and double check that all of your browsers are up-to-date. Installing Flash on Internet Explorer is a separate process than installing it on Firefox and Opera, so just because you installed it for Opera or Firefox doesn't mean you've installed it for IE as well, and vice-versa.

To check your version, visit Adobe's "About Flash" page with all browsers you use regularly to make sure the version number says you are running Flash Version 9.0.124.0.

If you are running a version of Flash that is anything less than 9.0.124.0 (i.e., a lower version number, such as 9.0.115.0 or 9.0.47.0), I would strongly advise you to update it now. Visit this link with whichever browser is outdated, and it should present you with the latest version to install for that browser type.

Of course, the "noscript" add-on for Firefox can give users of that browser greater control over which sites should be allowed to serve Flash by default.

Update, May 28, 12:56 p.m. ET The SANS Internet Storm Center updated its advisory on this attack today, saying the exploits found in the wild do not appear to attack a new vulnerability. A Storm Center incident handler I chatted with confirmed that none of the exploits spotted so far work against the latest, patched version of Flash, version 9.0.124.0.

Update, May 28, 2:26 p.m. ET: Adobe just released a statement clarifying, as Security Fix has already noted, that this attack is not exploiting a new vulnerability. From their statement: "This exploit does NOT appear to include a new, unpatched vulnerability as has been reported elsewhere - customers with Flash Player 9.0.124.0 should not be vulnerable to this exploit. We're still looking in to the exploit files, and will update everyone with further information as we get it, but for now, we strongly encourage everyone to download and install the latest Flash Player update, 9.0.124.0."

I also spoke with Ben Greenbaum, senior research manager for Symantec Security Response. Greenbaum said the confusion about whether this was a new attack stemmed from the fact that the exploits did in fact work against the stand-alone version of Flash Player, an application that isn't anywhere near as widely deployed as the browser plug-in version of Flash. Greenbaum said the latest stand-alone version of Flash is protected against this attack, but the latest stand-alone version made for software developers (the one with debugging built-in) is vulnerable. In addition, he said, all Linux versions of the stand-alone Flash player are susceptible to this attack (although not the viral payload that it currently delivers). He added that it is highly unlikely that the average Windows user has anything but the browser plug-in versions of Flash installed.

By Brian Krebs  |  May 28, 2008; 7:05 AM ET
Categories:  Fraud , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Security Fixes in Foxit Update
Next: Symantec Pledges Less Bloat, More Speed

Comments

I thought the Flash vulnerability getting all the ink since yesterday was unpatched.

Posted by: Larry Seltzer | May 28, 2008 7:42 AM | Report abuse

"Installing Flash on Internet Explorer is a separate process than installing it on Firefox and Opera..."

I tried updating Flash yesterday with all browsers closed, but Secunia's PSI still tells me today I am back level with Flash. Under Opera, Flash tells me I do indeed have 9.0.124. How do I get it on IE7?

Posted by: Bartolo | May 28, 2008 7:53 AM | Report abuse

Brian, it's http://noscript.net (no hyphen), thanks :)

Some additional notes for NoScript users here:
http://hackademix.net/2008/05/28/unpatched-flash-vulnerability-widely-exploited-in-the-wild/

Posted by: Giorgio Maone | May 28, 2008 8:21 AM | Report abuse

@Bartolo -- Visit the "About Flash" link with IE. If it says your IE is out of date and doesn't prompt you with a link to download the latest version, check out this link in IE:

http://www.adobe.com/products/flashplayer/

click "Agree and Install Now," then approve the installation of an ActiveX control, and then hit "Run" at the next prompt before the installation completed.

Posted by: Bk | May 28, 2008 8:26 AM | Report abuse

@Larry -- well, as I noted early on, that's a question that hasn't been fully answered yet. There is evidence on both sides that this is patched/unpatched. I think we'll know for sure later today, hopefully when Adobe releases a statement about this.

Posted by: Bk | May 28, 2008 8:30 AM | Report abuse

@Giorgio -- doh! of course it is. I've added that link in my column so many times it's hard to count. Fixed, thanks.

Posted by: Bk | May 28, 2008 8:32 AM | Report abuse

I updated Flash in both Firefox and IE (which my husband refuses to quit using) last week, but Securia says I still have an earlier version of the program installed on our computer. This version isn't listed in the "Add/Delete" programs list, though. How else can I find and get rid of it?

The last time I deleted all versions of Flash and started fresh, I got an error message saying the program needed access to files in an earlier version before I could download the latest update, so I ended up downloading an earlier version before downloading the latest one. Argh. I'd rather not have to deal with that again.

Thank you for any advice you can offer me. Our PC runs XP Home Edition with Service Pack 3. I use NoScript in Firefox.

Posted by: Heron | May 28, 2008 9:12 AM | Report abuse

According to the SANS note, 9.0.124.0 (newest version as of this comment) is vulnerable and Adobe has not released a fix.

http://isc.sans.org/diary.html?storyid=4465

Posted by: John | May 28, 2008 9:16 AM | Report abuse

@john -- a link to that SANS writeup is in the third paragraph of this post.

Posted by: Bk | May 28, 2008 9:24 AM | Report abuse

I've also added IE7 Pro to our version of Internet Explorer. It blocks Flash addons unless we click on the placeholders, and makes IE a little tamer in other ways.

Posted by: Heron | May 28, 2008 9:24 AM | Report abuse

Good grief. Flash needs an auto-update mechanism. It's a safe bet that most home computer users don't monitor the computer media for Flash update information.

Posted by: JohnJ | May 28, 2008 9:33 AM | Report abuse

JohnJ wrote: "Good grief. Flash needs an auto-update mechanism. It's a safe bet that most home computer users don't monitor the computer media for Flash update information."

/signed.

Posted by: C.B. | May 28, 2008 9:51 AM | Report abuse

As of this comment Adobe has not released a "fix" or newer release than the current version 9.0.124.0 on it's site.

You are doing the IT users a dis-service by telling them to update their Flash when the current version is vulnerable.

It makes the user think they are immune when they are not.

Adobe's current response to this issue:
http://blogs.adobe.com/psirt/2008/05/potential_flash_player_issue.html

Posted by: Fred Dunn | May 28, 2008 10:50 AM | Report abuse

Thanks, Bk. When I go to the about Flash site it says I am on release 6. When I go to the download site and agree it goes into a loop of repeatedly asking me to download. In between there is maybe a 10 second burst of apparent download I/O going on before the process repeats.

Also, I have been getting the same Secunia PSI issue Heron mentions in her first paragraph. My remove pgm function does not offer multiple Flash versions to uninstall.

Posted by: Bartolo | May 28, 2008 11:17 AM | Report abuse

@Fred -- How am I doing people a disservice to tell them to patch to the most current version? You should know that SANS Internet Storm Center has just posted an update saying it does not look like this is a zero-day attack, (i.e., that in all likelihood, the latest patched version of Flash protects you).

Flash is one of those applications, like Adobe Reader, that 90+ percent of the people who use them never think to update them, ever. In fact, I'd be willing to bet money that a significant share of Flash users are actually using some version of Flash that is over one year old, perhaps even two years old. Same with Adobe Reader.

Posted by: Bk | May 28, 2008 12:27 PM | Report abuse

The Flash uninstaller page includes this lovely paragraph when you look at it in IE (not Firefox):

"Due to recent enhancements to the Adobe Flash Player installers, you can now remove the player only by using the Adobe Flash Player uninstaller. To remove Flash Player, simply download and run the appropriate uninstaller for your system using the steps below."

Here's the link:
http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_14157
I found it via a Google search.

I used the Flash uninstaller, then downloaded the newer version of Flash in both browsers, and Securia doesn't list the older version anymore when I run a scan. It does detect both versions of Flash (one for IE, one for Firefox), though.

If you use the uninstaller, you'll want to close all programs that use Flash (browsers, chat programs, etc.) before you run it. Save it to your desktop, close the programs, run the uninstaller, restart the machine, then run the uninstaller again to make sure it deleted everything. Then, you should be all set.

Oh, and use the link BK provided to install the latest version, not the installer program Flash wants you to use. I think the proprietary installer program is what caused the error message I encountered when I made the last update.

This seems like such an avoidable hassle. I sent Macromedia a query asking, "Why isn't the older version of Flash deleted when we download the latest version?" I don't expect a reply.

Posted by: Heron | May 28, 2008 1:19 PM | Report abuse

I followed Heron's suggestions about uninstalling Flash and reinstalling it individually with both browsers (IE7 & Opera). It all seemed to work, although the IE7 install still looped back to the original download screen.

Going back to Secunia PSI, however, the back level Flash "End-of-Life" was still flagged as being 7.x. When I hovered my mouse over the plus sign on that exception item it showed Program
Files\Opera\uninst\backup\NPSWF32,dll
which is odd but maybe OK?

Posted by: Bartolo | May 28, 2008 2:34 PM | Report abuse

The best solution is to remove Flash and never install it again. Like Quicktime and RealPlayer, it is constantly being exploited. New versions are just a (very) temporary fix.

Posted by: Craig | May 28, 2008 3:59 PM | Report abuse

Bartolo, it looks like the uninstaller that came with 7.x didn't get deleted. If the latest version of the Flash uninstaller won't remove that file, and you've tried running that latest version of the uninstaller a couple of times (once after restarting your computer), you might try tracking down that file manually and deleting it. It looks like it'd be in the Opera folder on your C: drive. Your computer shouldn't miss it if you do that.

Posted by: Heron | May 28, 2008 4:57 PM | Report abuse

I can't help on some of the comments above about difficulties installing (we readers don't even know the browser in use, much less what they are seeing). There are over twelve million successfully completed installations of Adobe Flash Player each day, so you should be able to do so too. I wish I had enough info about what you're seeing to be able to help.

But for versioning, over 95% of consumers were audited in March as having Player 9 or above, and nearly two-thirds of the public updated to v9.0.115 during its first three months of release:
http://www.adobe.com/products/player_census/flashplayer/version_penetration.html

(Brian, thanks for including the updated info! But many news reports today are still going with the early and inaccurate info... the public needs stronger reminders to keep their internet software current.)

tx, jd/adobe

Posted by: John Dowdell | May 29, 2008 1:00 PM | Report abuse

John Dowdell, thank you for post. Can you shed any light on why the Flash update process doesn't remove the older version of Flash automatically? It seems to be especially important for Adobe to figure out how to set this up now that older version do not show up in the "Add/Delete Programs" menu in Windows. The prospect of having to use your company's program to delete the older version of Flash, then download the newer version, is enough to make me consider seeing if we could live without Flash altogether, especially if updates continue to so frequent.

Also, does Adobe test new versions of its software, and the update processes for them, on computers that are several years old, or just on newer, faster machines that have high-speed Internet access?

Posted by: Heron | May 31, 2008 4:39 PM | Report abuse

John Dowdell, thanks for posting. Why isn't Flash configured to delete the older version(s) of the program during the update process? If we're really expected to keep our computers up to date, as you said, then why do end users need to run your company's proprietary program in order to delete older, more insecure versions of Flash? The prospect of having to do that regularly is making me consider seeing if we can do without Flash altogether.

Posted by: Heron | May 31, 2008 5:08 PM | Report abuse

"Why doesn't Player installation uninstall old versions?" The installer and uninstaller have been separate items, to reduce download costs for people. The installer does replace the old version in the registry, so browsers will not invoke old Players.

"Why do we need to run the uninstaller?" That's usually only needed when running developer-level preview releases, which arrive early for the widest possibile compatibility testing. On the regular consumer releases you'd only need to run an uninstaller if there were difficulties installing, to get back to a known state.

jd/adobe

Posted by: John Dowdell | June 1, 2008 1:17 PM | Report abuse

John Dowdell, Brian Krebs really emphasizes removing previous versions of Flash altogether, in case a computer is hijacked by someone who wants to do it harm. Your saying older versions shouldn't be invoked by our browsers doesn't reassure me.

Also, all those old Flash programs will eat up hard drive space over time, especially on an older machine, won't they?

Finally, what is Adobe doing to make Flash a more secure program from the get-go, so security concerns won't be so problematic for Internet users who use it?

Thanks again for posting in here. I really appreciate your taking the time to do that.

Posted by: Heron | June 1, 2008 3:14 PM | Report abuse

"Also, all those old Flash programs will eat up hard drive space over time, especially on an older machine, won't they?"

It's true that an old Player might consume a megabyte or so of disk space. I don't know of a way a webpage can invoke unregistered executables on your drive stored in browser-plugin format, however.

There's lots and lots of security examination, and you can find a small public section of that work at that blogs.adobe.com/psirt address.

jd/adobe

Posted by: John Dowdell | June 2, 2008 2:11 PM | Report abuse

The GovTech Security News Podcast ( http://security.govtech.com ) has a story about this issue, and helpful tips. It's free to stream and you can also get it on iTunes.

Posted by: Anon | June 2, 2008 3:24 PM | Report abuse

Take a glimpse at our award winning web design : http://www.miraclestudios.in

Posted by: Miracle studios -- web design | June 11, 2008 2:56 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company