[Laszlo-dev] Flash Player Security Warning

Raju Bitter rajubitter at me.com
Thu Jul 23 05:36:24 PDT 2009

A critical vulnerability exists in the current versions of Flash  
Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux  
operating systems, and the authplay.dll component that ships with  
Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX  
operating systems. This vulnerability (CVE-2009-1862) could cause a  
crash and potentially allow an attacker to take control of the  
affected system. There are reports that this vulnerability is being  
actively exploited in the wild via limited, targeted attacks against  
Adobe Reader v9 on Windows.

We are in the process of developing a fix for the issue, and expect to  
provide an update for Flash Player v9 and v10 for Windows, Macintosh,  
and Linux by July 30, 2009 (the date for Flash Player v9 and v10 for  
Solaris is still pending). We expect to provide an update for Adobe  
Reader and Acrobat v9.1.2 for Windows and Macintosh by July 31, 2009  
(the date for Adobe Reader for UNIX is still pending).

More info:
> http://isc.sans.org/diary.html?storyid=6847
> Well, it looks like the last two weeks have definitely been marked  
> by multiple 0-day exploits actively used in the wild.
> The last one exploits a vulnerability in Adobe Flash player  
> (versions 9 and 10) as well as Adobe Reader and Acrobat 9.1.2.  
> Besides being a 0-day there are some other interesting things about  
> this exploit.
> First, several AV companies reported that they detected this 0-day  
> exploit in PDF files, so at first it looked like an Adobe Reader  
> vulnerability. However, the vulnerable component is actually the  
> Flash player or, better said, the code used by the Flash player  
> which is obviously shared with Adobe Reader/Acrobat. This increases  
> the number of vectors for this attack: the malicious Flash file can  
> be embedded in PDF documents which will cause Adobe Reader to  
> execute it OR it can be used to exploit the Flash player directly,  
> making it a drive-by attack as well.
> And indeed, when tested with Internet Explorer and the latest Flash  
> player (version 10), the exploit silently drops a Trojan and works  
> "as advertised". Another interesting thing I noticed is that the  
> Trojan, which is downloaded in the second stage, is partially XOR-ed  
> – the attackers probably did this to evade IDSes or AV programs  
> scanning HTTP traffic. At the moment, the detection for both the  
> exploit and the Trojan is pretty bad (only 7/41 for the Trojan,  
> according to VirusTotal).
> It appears that even when JavaScript support is disabled in Adobe  
> Reader that the exploit still works, so at the moment there are no  
> reliable protection mechanisms (except not using Adobe Reader?).  
> Regarding Flash, NoScript is your best help here, of course.

More information about the Laszlo-dev mailing list