Adobe has issued a security advisory APSA10-03 describing a new critical vulnerability in its products. This time, the primary target is Flash Player with multiple platforms—Windows, Mac, Linux, Solaris, and Android—all affected
and is currently being exploited in the wild. Current versions of Acrobat and Reader—the target of last week’s vulnerability—are also affected by the said exploit although Adobe states that in-the-wild attacks against these have not yet been seen.
Trend Micro detects malicious ShockWave Flash (.SWF) files exploiting this vulnerability as TROJ_SWIF.HEL. This functions as a malware downloader from other sites. It connects to certain URLs, which lead to files detected as BKDR_POISON.AKD that, in turn, connect to a remote box somewhere in Korea. BKDR_POISON variants typically opens a hidden Internet Explorer browser to connect using certain ports.
Interestingly, TROJ_SWIF.HEL also displays an image of a waterfall via a second embedded .SWF file, which is possibly used to trick users into thinking that they’ve opened a normal .PDF file.
Adobe has also stated when solutions for this vulnerability as well as last week’s will be released. Flash Player will receive an update on the week of September 27. Acrobat and Reader will receive fixes on the week of October 4.
Until the patches are released, Trend Micro offers protection for this flaw for enterprise users of Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in, which has rule–1004403 (Adobe Flash Player Remote Code Execution) to block attacks against this new vulnerability.
Update as of September 16, 2010 5:42 a.m. UTC
We’ve found new malware that also leverages on this vulnerability, and it is now detected as TROJ_SWIF.HEI.
Update as of September 20, 2010 7:17 a.m. UTC
Update as of September 21, 2010 9:00 AM UTC
Adobe has issued security updates for Flash Player that resolves this issue.