Contrary to initial reports, the Flash Player exploit being fed users who visit legitimate websites is not a true zero-day, a researcher said Wednesday.
But that's hardly the point, said Don Jackson, the director of threat intelligence at SecureWorks. "I'd still call this catastrophic," said Jackson, "because when you look at the distribution of Flash versions, users hardly ever have the latest one."
In fact, Jackson was on target in more ways than he knew. Ben Greenbaum, a senior research manager at Symantec, said later that although the vulnerability is not new - and thus not really a "zero-day" bug - some up-to-date versions of Flash Player are vulnerable to attack.
Greenbaum called it a "false positive zero-day" and added that the exploit in circulation "does still work against some of the most current and patched versions of Flash Player, and so still has some characteristics of a zero-day."
For his part, Jackson said that the currently-available version of Flash Player, dubbed 18.104.22.168, is immune, while computers running Flash Player 22.214.171.124 - the edition superseded by an April update, Adobe Systems released to patch other vulnerabilities - is susceptible to attack. "It looks like [126.96.36.199] has been patched," he said.
Greenbaum, however, went a step further. "The vulnerability is similar enough [to one already disclosed] that we're treating it as the same," he said. "But not all the versions are patched correctly."
The more widely-used browser plug-in of Flash Player 188.8.131.52, said Greenbaum, is not at risk, but the standalone Flash Player 184.108.40.206, is. Adobe offers both browser plug-in and standalone versions of its Flash Player.
Although it's not unheard of for patches to not properly protect all versions of a particular program, Greenbaum said, it is unusual, and even more so when comparing the standalone and plug-in editions of an application.
Adobe was not immediately available to confirm Greenbaum's claims, but the Symantec researcher said that his team had been working with the Flash developer since yesterday on the problem. "This is the latest and greatest news," Greenbaum said.
The Flash Player is-or-isn't-at-risk story began Tuesday, when researchers at the SANS Institute's Internet Storm Center and Symantec raised the alarm about the exploit, and said it was triggering an unknown, and unpatched, vulnerability in the popular plug-in and application.
Later Tuesday, however, Symantec seemed to back off its initial analysis. "Originally, it was believed that this issue was unpatched and unknown, but further technical analysis has revealed that it is very similar to the previously reported Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability (BID 28695), discovered by Mark Dowd of IBM," Symantec said in a write-up explaining why it had bumped its ThreatCon ranking to Level 2.
Both Greenbaum and Jackson also cited Dowd, of IBM's X-Force research team. Last month, Dowd published a paper 9download PDF) that spelled out how Flash Player's ActionScript Virtual Machine could be exploited by attackers. "This exploit uses the same techniques that Mark Dowd described," said Jackson. "He shone a light on the techniques."
The Flash Player exploit is only one of several being served from hacked sites, said Jackson, who described the multi-exploit attack kit used as a "Chinese kind of Mpack," the latter a notable kit that's been in use, and updated, for more than a year. Most of the exploits target Chinese-language software, often games, but some leverage vulnerabilities in applications, such as Flash, that are used worldwide.
Hackers are attacking Windows PCs whose users visit legitimate Web sites that earlier had been breached using SQL-injection attacks. The attack vector has become extremely popular of late, with some campaigns compromising thousands, tens of thousands and even hundreds of thousands of pages. Estimates of the number of hacked pages in this campaign vary wildly, from a low of 20,000 to a high of 250,000.
There is a connection between these attacks and other recently launched from legitimate sites, said Jackson and others. Bulgarian security researcher and blogger Dancho Danchev, for example, noted that one of the two domains found yesterday serving the Flash Player exploit shared the same IP address block as several malware domains used in a wave of attacks last week.
The hackers are using Google's search engine to sniff out vulnerable Web sites, said Jackson. "The attack kit polls Google with a search term and brings up vulnerable ASP (Active Server Pages, a Microsoft scripting engine), so that the most popular pages show up first," said Jackson.
Although the exploit doesn't work on the most current version of Flash, Jackson said that's almost beside the point. "The distribution of vulnerable versions is very high," he claimed, citing data that SecureWorks had on its corporate customer base. "We still thought it important to put our warning out."
"Because [Flash Player] 220.127.116.11 and possibly earlier vulnerable versions contain this highly critical flaw and are so widely distributed, the SecureWorks Threat Intelligence Service is advising that organizations verify their Flash Player versions and patch, if necessary, as soon as possible," SecureWorks' advisory read.
Symantec, meanwhile, advised users to "avoid browsing to untrustworthy sites," or to deploy script-blockers, such as the NoScript add-on available for the Firefox browser. Users can also set a 'kill bit' in the Windows registry to disable Flash until a patched edition of the standalone application is released.