An exploit for another zero-day vulnerability in Adobe Flash Player was very recently found just a couple of weeks after Adobe patched a similar critical vulnerability, which was actively exploited and used for attacks.
According to the security advisory Adobe released, the vulnerability identified as APSA11-02 is currently being exploited in the wild in the form of an .SWF file embedded in a Microsoft Word document. According to reports, the said exploit was also being distributed through email. We are currently trying to find more information on the nature of the email messages through which the exploit arrives.
We were able to analyze a sample of the Microsoft Word document wherein the exploit was embedded. The document bears the file name Disentangling_Industrial_Policy_and_Competition_Policy.doc and is now detected as TROJ_MDROP.WMP. It contains an .SWF file which contains the exploit code. It is now detected as SWF_EXPLOIT.WMP. After the successful exploit, TROJ_MDROP.WMP will then drop another malicious file detected as BKDR_SHARK.WMP.
Software affected by this vulnerability include:
- Adobe Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux, and Solaris OSs
- Adobe Flash Player 10.2.154.25 and earlier for Chrome users
- Adobe Flash Player 10.2.156.12 and earlier for Android users
- The Authplay.dll component that is shipped with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh OSs
Adobe has yet to release a patch for this vulnerability.
The way this exploit arrives in users’ systems is very similar to the one used for APSA11-01. Both exploits arrive as .SWF files embedded in Microsoft Office documents (the previous one is embedded in Microsoft Excel spreadsheets). Such kind of threats, when used for sophisticated schemes like targeted attacks, can cause a lot of damage. It could be recalled that APSA11-01 was reportedly used in several attacks, including one related to the Japanese earthquake and to the breach that affected RSA.
As this vulnerability remains unpatched, there is a huge possibility that it will be used for malware attacks. Users are strongly advised to practice extreme caution in dealing with email messages (especially those that come with attachments) from unverified sources.
Update as of April 13, 2010 10:10 PM Pacific Time
Adobe already announced the schedule for the release of security updates that will address this vulnerability. According to their updated bulletin, the patches will be released as follows:
- Adobe Flash Player 10.2.x and earlier versions for Windows, Macintosh, Linux, and Solaris will be updated on April 15,2011
- Adobe Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.1) for Macintosh, and Adobe Reader 9.4.3 and earlier 9.x versions for Windows and Macintosh will be updated on or before April 25, 2011
- Adobe Reader X for Windows will be updated on the next security update, scheduled to be released on June 14, 2011
Update as of April 15, 2011 5:00 AM Pacific Time
We’ve found spam samples related to this zero-day attack. The email messages arrive with a Word document bearing the file name APRIL 2011.doc:
The said attachment is malicious and is now detected as TROJ_MDROP.WMP. It drops yet another malicious file detected as BKDR_AGENT.WMP. Spammed messages such as the one above are already blocked.
Update as of April 21, 2011 1:41 AM Pacific Time
Adobe released an out-of-cycle security update to address the vulnerabilities cited in APSA-2011-02. However, for updates on Adobe Reader X for Windows, Adobe is planning to include this on their next quarterly security update, which is currently scheduled for June 14, 2011.