My next class:
LINUX Incident Response and Threat HuntingOnline | US EasternJan 29th - Feb 3rd 2025

Followup to Flash/swf stories

Published: 2008-05-28. Last Updated: 2008-05-28 16:57:38 UTC
by Jim Clausing (Version: 2)
1 comment(s)

We've received quite a bit of mail about our stories yesterday about the malicious SWF files attempting to exploit older versions of the Adobe Flash player.  So, here are a few of the things that have come out of our discussions.

  1. Our friends over at shadowserver.org (thanx, Steven) have a nice writeup that includes a bunch of domains they've noted that have the malicious SWF files.
  2. If you aren't sure which version of the flash player you are using, Adobe provides this page where you can check for yourself.
  3. On closer examination, this does not appear to be a "0-day exploit".  Symantec has updated their threatcon info, as well.  We have yet to see one of these that succeeds against the current version (9.0.124.0), if you find one that does, please let us know via the contact page.
  4. It appears that this exploit may be included in the Chinese version of the MPack exploit toolkit (among others).
  5. In case we weren't clear about it earlier, it appears that the infected web sites check which browser you are using in addition to the flash player version to determine which exploit to deliver.

There are several ways to protect yourself even if you have a vulnerable version of the Flash player.

  • In Firefox, you can use either of the following add-ons, NoScript (one of our favorites, found here or here) or FlashBlock (here or here).
  • In IE, see here for how to set the "killbit", the CLSID is BD96C556-65A3-11D0-983A-00C04FC29E36.

Update: (2008-05-28-16:54UTC) I was remiss in not mentioning Dancho Danchev's writeup.

Keywords: flash swf
1 comment(s)
My next class:
LINUX Incident Response and Threat HuntingOnline | US EasternJan 29th - Feb 3rd 2025

Comments

The CLASSID cited here isn't for any version of Flash, it's for the very-popular-with-the-bad-guys RDS.DataControl BD96C556-65A3-11D0-983A-00C04FC29E36 (MS06-014). Symantec is recommending setting the killbit for {d27cdb6e-ae6d-11cf-96b8-444553540000} ... is there a classid for just the known-vulnerable version of Flash?

Diary Archives