Enterprises using Adobe in an Infrastructure as a Service (IaaS) cloud environment may find a new Adobe Flash Player vulnerability to be of interest. Trend Micro’s antivirus and Trend Micro Deep Security offerings can both protect for this latest vulnerability and counter exploits of the vulnerability. If you have a IaaS cloud server with a Deep Security agent using updated rules (specifically rule–1004403 (Adobe Flash Player Remote Code Execution), you are covered.
The above is an update to what we posted yesterday (September 15, 2010) regarding this critical vulnerability in Adobe’s Flash Player:
Adobe has issued a security advisory APSA 10-03 describing a new critical vulnerability in its products. This time, the primary target is Flash Player with multiple platforms—Windows, Mac, Linux, Solaris, and Android—all affected and is currently being exploited in the wild. Current versions of Acrobat and Reader—the target of last week’s vulnerability—are also affected by the said exploit although Adobe states that in-the-wild attacks against these have not yet been seen.
Trend Micro detects malicious ShockWave Flash (.SWF) files exploiting this vulnerability as TROJ_SWIF.HEL. This functions as a malware downloader from other sites. It connects to certain URLs, which lead to files detected as BKDR_POISON.AKD that, in turn, connect to a remote box somewhere in Korea. BKDR_POISON variants typically opens a hidden Internet Explorer browser to connect using certain ports.
Interestingly, TROJ_SWIF.HEL also displays an image of a waterfall via a second embedded .SWF file, which is possibly used to trick users into thinking that they’ve opened a normal .PDF file.
Adobe has also stated when solutions for this vulnerability as well as last week’s will be released. Flash Player will receive an update on the week of September 27. Acrobat and Reader will receive fixes on the week of October 4.
Until the patches are released, Trend Micro offers protection for this flaw for enterprise users of Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in, which has rule–1004403 (Adobe Flash Player Remote Code Execution) to block attacks against this new vulnerability.