Following the news on Adobe releasing a security update for Flash Player, find below a brief interview with Kaspersky and further comments from Tripwire:
Vyacheslav Zakorzhevsky, Head of Vulnerability Research Group at Kaspersky:
Q) Can you disclose how the vulnerability was found?
A) This vulnerability was found when we discovered some new, similar SWF-exploits containing a shellcode in Kaspersky Lab’s cloud network. With Adobe, we confirmed that the files contained zero-day vulnerability. All the detected exploits contain a malicious code with another one containing an embedded executable file.
This attack works whereby when a document is opened, an embedded flash exploit starts an easy downloader to the disk, which then downloads a fully-featured backdoor and а Trojan-Spy. The program goes on to steal passwords from popular email clients and grabs logins and passwords from web-forms of popular social/email services.
Q) Was it a targeted attack?
A) We can’t be 100 per cent sure, but there are a number of signs that have given us a reason to believe this was a targeted attack. Firstly, the flash videos were embedded to the docx files with equal titles in Korean. We also found that those docx files were opened with an email client on MAC OS and were found in cache of Windows 7 browsers. Finally, evidence points to Chinese organisations and users being the target of this attack.
Q) Was it used to install known malware or a new type of threat?
A) As of yet, we haven’t identified the detected files as any existing type of botnet, suggesting that this is probably an isolated malicious development.
Further comments from Tripwire:
Tyler Reguly, Manager of Tripwire’s Vulnerability and Exposure Research Team (VERT):
“Microsoft sometimes avoids an out of band update by using the Security Advisory process over the Security Bulletin process because of the decision to include Flash in newer Windows releases but I wonder if this release will identify a flaw in that process. A lot of enterprises have a process around security bulletin notifications and how to handle an out-of-band patch.
This advisory isn’t considered a bulletin with patches – it’s an advisory with a file you can download. Even in Brian Krebs’ article, there are links to Adobe but no links to Microsoft content. I’m still a firm believer that Microsoft has made a mistake with the advisory route and that some will overlook this update because it isn’t a Bulletin.”
Craig Young, VERT security researcher:
“This latest Flash zero-day serves as a good reminder of the reasons security professionals urge users to enable browser plugins only when necessary. It is important to note that browsers such as Chrome and Internet Explorer have Adobe’s Flash technology ‘baked in’ making it necessary to explicitly disable it when not needed.”