By Stefanie Hoffman, ChannelWeb, July 24, 2009, 1230 hrs
The U.S Computer Emergency Readiness Team (US CERT) is recommending that users turn off Flash in their Web browsers due to critical vulnerabilities in Flash Player and Adobe Reader, which have already paved the way for hackers to launch malicious attacks on users' computers.
Adobe issued a security advisory recently warning users of an actively exploited zero-day flaw, found in versions 9 and 10 of Adobe Flash Player, triggered by bugs in Adobe Reader and Adobe Acrobat 9.1.2. The vulnerability affects Windows, Mac and Linux platforms.
As with most exploits, the flaw opens the door for attackers to install a malicious Flash Player file embedded in PDF documents, which could be used to crash a user's system or allow an attacker to execute information-stealing code on unsuspecting users' computers.
The attack is executed when hackers entice a user to visit a malicious Web site—typically through some social engineering scheme—or by sending an infected PDF file via e-mail. Once opened, the malicious PDF files, detected as Trojan.Pidief.G, automatically installs the information-stealing malware on users' computers.
Meanwhile, Adobe researchers say that they have already started to see what they call "limited targeted attacks" launched on Adobe Reader version 9 for Windows, which caused the company to rank the vulnerability as "critical." However, security experts anticipate more attacks will follow.
Symantec Security researcher Patrick Fitzgerald said in a blog post that this Flash Player attack was particularly dangerous due to the ubiquitous nature of Flash. Unlike other vulnerabilities that are confined to a particular browser or operating system, Flash can span multiple platforms, allowing attacks exploiting related vulnerabilities to be distributed widely.
"Flash exists in all popular browsers and is also available in PDF documents. It is also largely operating-system-independent; therefore the threat posed by this issue is not to be taken lightly," Fitzgerald said. "The large user base of Flash presents attackers with a huge target audience and will certainly be too much for them to resist."
Meanwhile, researchers at the SANS Institute said in a blog post that the malware exploiting the Flash vulnerability has been found to evade antivirus programs, noting that the exploit still works "even when JavaScript support is disabled in Adobe Reader."
"Regarding Flash, NoScript [Firefox extension that allows JavaScript to be executed only by trusted Web sites] is your best help here, of course," said SANS researcher Bojan Zdrnja, in a blog post.
Zdrnja said that the vulnerability has already paved the way for a low number of "drive-by" attacks, in which attackers infuse a legitimate Web site with malicious code or lure users to a malicious Web site of their own creation. Attacks have been launched on both Internet Explorer and Firefox Web browsers, Zdrnja said.
Adobe said in its advisory that it has been in contact with several security and antivirus vendors and plans to repair the flaw in Flash Player by July 30 and in Adobe Reader and Acrobat by July 31.
Until a fix is created and deployed, the U.S. CERT recommends that users work around the security bug by disabling Flash in Adobe Reader 9 on Windows and either disabling Flash Player or selectively enabling Flash content.
Security experts also recommend that users avoid opening PDF attachments from unfamiliar or untrusted sources, while keeping antivirus software up-to-date. |