Word is coming down today that there is a zero-day exploit in the wild for the current (public release) version of the Flash Player. The first big source for this appears to be Symantec, who urge users to “Avoid untrusted sites and disable Flash until patches are available.” In the height of irony, on their security response page, this information is delivered by . . . you guessed it, a flash file, hosted from their site.
Adobe has been playing beat the clock since the end of last year when some fundamental flaws in Flash were brought to the public eye. The current ‘sploit seems to be seeded on potential a large number of bogus sites, and the tactics are along the lines of other malware drive-bys — get the user to go to the site, have the malware run. In this case, the penetration of vulnerable clients is huge, as almost everyone has flash installed (and there is not an “invulnerable” version amongst the current ones).
Little is known about the current exploit, and there is no evidence yet that it is linked to any of the issues previously discussed. There are no reports of it being seeded in anything passed through a trusted site yet, but if that is pulled off, the results could be devastating.
SANS ISC is tracking it, as I am sure are other sources (Security Focus has it listed here, albeit with scant information other than it seems to be fairly well “hosted” in terms of bogus sites supporting it.), I’ll update more (if there is more known) when I have more time this evening. If you are running something like AdBlock Pro or NoScript, you might want to take steps to disable .swf’s for the time being.
Tags: 0-day, Adobe, Flash, vulnerability