Adobe Flash Player Exploit Grabs Your Files

Posted by miguelcarrasco in Thursday, May 29th 2008   
Topics: Real World News
7 Comments

Adobe Flash Player If you have Adobe Flash player installed like most people on the Internet, make sure you check your flash version and ensure you are running version 9.0.124.0.  If you are running a lower version, your machine is susceptible to sending pretty much anything to the hacked flash applet, and server.  Updated your Flash now!  That or uninstall it!  How many of these rouge flash files are out there?  About 250, 000 Web pages.  That’s at least how many have been tracked to take advantage of the exploit.  There probably are way more.  To be clear, these machines have not been exploited using the bug in flash, they however hosted the malicious flash files that would take users private information from their computers.

The worst part about this exploit?  You won’t know you have gone to a bad site!  What the flash file will do is install a Trojan on your machine, and send the server passwords, and possibly other data, including WoW (World of Warcraft) account information.  Another awesome part of this?  Since Adobe Flash is cross-platform, cross-browser, there are a ton of computers out there that are open to a massive attack.

imageWhile Adobe has now fixed the issue (they are pretty sure anyway), most people won’t get the patch until they run into a site that forces them to install the latest version.  If you would like to learn how to create a malicious flash file, just read Mark Dowd’s article from IBM.  The other issue is that most times things like this happen, it seems people find workarounds to the fix.  Symantec is actually recommending people uninstall Flash until Adobe sorts this all out.  And lastly, Adobe has no built-in method in flash to warn users they need critical updates, so millions of computers will probably not get this patch for a long time.

Anyway if you are interested in blocking Flash in Firefox, it’s easy to do with Flashblock.  In Internet Explorer it’s pretty easy as well, just use the Tools-Manage Add-Ons dialog, select Shockwave Flash Object and then the Disable radio button.

Maybe now is a good time to try out Silverlight?  And once you install it, check out the Hard Rock Cafe Memorabilia collection!  It uses some awesome Deep Zoom technology built into Silverlight.

Update:  I’m honored that an adobe employee found the time to comment on the inaccuracy of the posting.  Unfortunately, its very accurate, and his statement are inaccurate.  Adobe actually did patch the wide spread exploit in April, however, as I mentioned, Mark Dowd found a way around the patch, and published his findings in this PDF document.  This is what the Chinese attackers used.

Also, it does install a Trojan on the machine.  A Trojan is “is a piece of software which appears to perform a certain action but in fact performs another”.  A Flash file is downloaded onto the users machine before being run, and runs inside the flash runtime.  Theirfore, yes indeed one could call this a Trojan.  You can read the articles over the net.  Here is one explaining the Wow.UB Trojan (The official classification).

Also, its World of Warcraft, not World of Warfare. And lastly, I love flash by the way!  No plugin or browser for that matter has ever had the success the flash player has had!  Very impressive! However, there is an issue with the older players now, and people should just make sure they have the latest patch, that is all.

If you are curious what sites had the trojan flash files, you can check on shadowserver.

If you liked this article, please share it on DZone, del.icio.us, StumbleUpon or Digg. I’d appreciate it.

Related Post

Spread the word

Digg this post

Bookmark to delicious

Stumble the post

DZone This Post

DotNetKick This Post

Add to your technorati favourite

Subscribes to this post

This website uses IntenseDebate comments, but they are not currently loaded because either your browser doesn't support JavaScript, or they didn't load fast enough.

7 users responded to this post

John Dowdell said in May 30th, 2008 at 12:28 am    

Thanks for reminding people to keep their internet software current, but you might wish to research the incident a bit more.

20,000 mainstream website domains were indeed apparently hacked, but with HTML injections. These good sites were carrying bad instructions… unpatched servers were the main way the gang infected thousands of websites’ HTML.

What did that HTML do? Point to two servers in China, which hosted malformed SWF which, in back versions of Adobe Flash Player, could take advantage of a novel null-reference injection popularized in the blogosphere two months ago. Those two SWF-hosting servers were taken down pretty quickly, so all the infected HTML on websites was rendered useless. The goal? Apparently, to steal World of Warfare passwords, to then steal virtual equipment, for resale in realworld capital markets.

What you wrote here is inaccurate… can you research and correct?
“What the flash file will do is install a Trojan on your machine, and send the server passwords, and possibly other data.”

tx, jd/adobe

David Kenedy said in May 30th, 2008 at 12:35 am    

I am actually a Macromedia Flash fan, but I have to say I find your comment funny. first of all, It’s World of Warcraft… I’ve never heard of this “Warfare” game you speak of. Second, the exploit could be used to do exactly what the blogger talks about, it’s a good thing it wasnt bad. Third, IBM published the vulnerability weeks ago. Forth, ya SQL Injection attacks are up.

And last, there is nothing inaccurate in this post… lol… There is however a few things inacurate in yours.

Miguel Carrasco said in May 30th, 2008 at 1:09 am    

Hi John,

Thanks for the comments. I have clarified the comments. Keep up the great work with Air/Flex! Nice to see where you are taking the technology, especially Actionscript.

Miguel Carrasco

John Dowdell said in May 30th, 2008 at 11:14 am    

Sorry, you really do need to research more.

1) Mark Dowd held back his null-reference paper until after Player 9.0.124 addressed it. I wish he had held it back a few months more, so the population could be updated, but sic transit gloria mundi. His paper was cited as the blueprint for this China attack, but as Symantec has clearly backtracked, the attack fails in current software.

2) Yes, SWF files are downloaded before being played in the browser. HTML files work the same — you need to download it before it is locally rendered. No, that does not make either of them “a trojan”.

3) Yes, if you used unpatched software and visited one of the 20,000 infected HTML websites, and did so before the two SWF-serving sites in China were shut down, then it might have downloaded an additional file to your machine. That would be less a trojan than a drive-by download, such as Safari currently enables from straight HTML. But the two Chinese servers were the chokepoint, and were efficiently removed from the web. Your practical exposure was zip.

4) And yes, I typo’d “warfare”, as I later noted in my Twitter citation. Horrors.

We’ve still got a problem of lots of compromised webservers out there, hosting HTML instructions without their owners’ knowledge.

We’ve also got a problem of journalists and bloggers popularizing a story without thinking about it, investigating it, confirming it for themselves. Adobe Flash Player does not “grab your files”. But the headline certainly grabs your attention.

jd/adobe

Miguel Carrasco said in May 30th, 2008 at 1:06 pm    

Thanks John,

By the way I read you blog and follow your twitter. There seems to be a lot of confusion around what really happened, even Symantec and McAfee have “changed” their stories. Bottom line, nothing is secure, we just need to be able to inform our users quickly when they should patch. I’m sure the same thing could happen in Silverlight and Flash. Hopefully Microsoft and Adobe both figure out a way to deal with these kinds of threats better. Would be awesome to have the ability to force patch these kinds of things.

Truth be told, Silverlight and Flash, along with Air/Flex and WPF are at the forefront and I believe to be the future of the cloud computing internet. I just hope we all figure out better ways to patch users quickly, when threats like these are identified. Being in software development for nearly 15 years myself, I know it’s easier said than done.

Pleasure to chat about this by the way!

Miguel

John Dowdell said in May 31st, 2008 at 1:26 pm    

“There seems to be a lot of confusion around what really happened, even Symantec and McAfee have “changed” their stories.”

Yes, agreed, thanks. But even today I’m seeing fresh news headlines with only the older, incorrect information. And lots of people never read beyond the headline. Significant problem. :(

jd/adobe

Michael said in June 12th, 2008 at 4:49 pm    

Well given the pro-Silverlight view of this site(which I almost wonder if they aren’t being paid by MS to drone on and on), it’s no wonder they are critical of Flash.

Leave Your Comments Below

«
»