Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a Flash
1. Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.
ISSUE NO. 66
JUNE 21, 2010
Zero-Day Adobe Flash Player Exploits in a Flash
Apart from ensuring that the threat landscape is consistently thriving, cybercriminals can also be depended on to jump at every single opportunity
that arises. Zero-day vulnerabilities are no exception. Developers face the challenge of releasing updates before exploit attacks proliferate in the
wild. Every time a software vulnerability is made public, users can expect cybercriminals to use it to their advantage faster than developers can
say “patch.”
The Threat Defined
Security experts are faced with an interesting scenario every time a zero-day vulnerability is disclosed. There are
always two possibilities—developers will effectively fix the flaw before any major issue arises or cybercriminals will
get an opportunity to spread malware via vulnerability exploits and developers are left with the task of cleaning up
the mess they leave behind.
The recent zero-day exploit is a good example of the latter scenario. When Adobe released a security advisory
about a Flash Player vulnerability, a zero-day exploit had already been found. Tagged as critical, the vulnerability
(CVE-2010-1297) causes the application to crash and can allow remote users to execute malicious codes on an
affected system.
Exploits in a Flash
As evidenced by this and many other
zero-day exploit attacks,
cybercriminals waste no time in taking
the opportunity to take advantage of
vulnerable users. In this particular
scheme, spammers sent email
messages with an .SWF file embedded
in a .PDF file attachment. Opening the
attached file executes the .SWF file,
which, in turn, results in exploitation of
the Adobe Flash Player vulnerability.
The vulnerability currently exists in Figure 1. Adobe Flash Player vulnerability exploit infection diagram
10.0.x and 9.0.x versions of Flash,
including the current version (10.0.45.2). Furthermore, authplay.dll or the vulnerable component is also used by
Adobe’s PDF products. Consequently, both Acrobat and Reader 9.3.2 and earlier versions that belong to the 9.x
family are also affected. Acrobat and Reader 8.x versions are not affected.
Opening Doors to Malware
Vulnerability exploits typically lead not just to one malware infection but to several infections at the same time. In
this attack, Trend Micro detects malicious files exploiting the vulnerability as TROJ_PIDIEF.WX. Once installed on a
system, the Trojan connects to a malicious website to download a file detected as TROJ_SMALL.WJX, which, in
turn drops a file detected as BKDR_PDFKA.W.
The backdoor leaves users susceptible not just to information theft but to involvement in cybercriminals’ money-
making schemes as well because of its routines. More specifically, BKDR_PDFKA.W collects system information
such as installed applications and IP configurations. It is likewise capable of downloading files from the Web and
executing these on an affected system. As a result, the compromised machine can be used for pay-per-install (PPI)
schemes that cybercriminals often use to spread malware and to build botnets.
User Risks and Exposure
Given the speed by which cybercriminals exploit vulnerabilities, users are constantly victims in the making. It does
not help either that patching systems is both a tiresome and time-consuming task for small businesses but even
more so for enterprises that need to manage several systems.
1 of 2 – WEB THREAT SPOTLIGHT
2. Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.
In this attack, users face the added challenge of dealing with several vulnerable applications at once. Since the
malicious files exploit vulnerabilities in Adobe Flash Player, Acrobat, and Reader, users should be sure to patch all
these applications and make sure they do not leave any of them vulnerable.
In the end, it is still best to enable automatic updates whenever possible and to ensure that systems are
consistently updated with the latest vendor-released patches. Since the threats in this attack arrive via spammed
messages, users are likewise advised to practice discretion when opening email messages and when downloading
and executing file attachments. Users should always be on the lookout for unsolicited email messages, dubious-
sounding senders, and meaningless salad words. Such messages should be immediately deleted since spammers
sometimes utilize invisible links that can inadvertently lead users to malicious websites.
Trend Micro Solutions and Recommendations
Trend Micro™ Smart Protection Network™ delivers security infrastructure that is smarter than conventional
approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network™ is a cloud-client
content security infrastructure that automatically blocks threats before they reach you. A global network of threat
intelligence sensors correlates with email, Web, and file reputation technologies 24 x 7 to provide comprehensive
protection against threats. As the sophistication of threats, volume of attacks, and number of endpoints rapidly
grows, the need for lightweight, comprehensive, and immediate threat intelligence in the cloud is critical to overall
protection against data breaches, damage to business reputation, and loss of productivity.
In this attack, Smart Protection Network’s email reputation service blocks all emails related to this spam run. File
reputation service detects and prevents the download of malicious files detected as TROJ_PIDIEF.WX,
TROJ_SMALL.WJX, and BKDR_PDFKA.W. The Web reputation service likewise prevents access to the malicious
sites.
Users are also advised to upgrade to the latest Flash Player version, which Adobe has announced in this security
bulletin. Meanwhile, updates for Adobe Reader and Acrobat 9.3.2 for Windows, Macintosh, and Unix are expected
to be released by June 29, 2010. As a workaround, users can manually delete the vulnerable component,
authplay.dll. However, when this is done, all Flash contents within .PDF files cannot be opened. Users may see a
crash or error message but this will not trigger the exploit.
Trend Micro Deep Security and Trend Micro OfficeScan already protect business users against the Adobe product
authplay.dll remote code execution vulnerability via the Intrusion Defense Firewall (IDF) plug-in if their systems are
updated with IDF rule number 1004202.
Non-Trend Micro product users may also benefit from using free tools like eMail ID, a browser plug-in that helps
users identify legitimate email messages in their inboxes.
The following post at the TrendLabs Malware Blog discusses this threat:
http://blog.trendmicro.com/zero-day-flashacrobat-exploit-seen-in-the-wild/
The virus reports are found here:
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PIDIEF.WX
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SMALL.WJX
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_PDFKA.W
Other related posts are found here:
http://www.adobe.com/support/security/advisories/apsa10-01.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1297
http://blog.trendmicro.com/?s=zero-day
http://en.wikipedia.org/wiki/Compensation_methods#Pay-per-install_.28PPI.29
http://blog.trendmicro.com/spotlighting-the-botnet-business-model/
http://get.adobe.com/flashplayer/
http://www.adobe.com/support/security/bulletins/apsb10-14.html
2 of 2 – WEB THREAT SPOTLIGHT