February 8, 2013
Adobe Issues Emergency Flash Update In A Flash
Peter Suciu for redOrbit.com — Your Universe Online
On Thursday Adobe released an emergency update for its Flash reportedly to address two security issues that are being exploited by hackers. Unlike past hacks that have primarily targeted only PC users, one of the reported threats targets Safari and Firefox on the Mac, and could even allow the attackers to take control of victims' systems.
The vulnerability allows attackers to deliver the malware payload when visiting corrupted websites; and as a response Adobe is advising Flash users to update to version 11.5.502.149 as soon as possible.
This threat, cataloged as CVE-2013-0634, is one that has been described as tricking users into "opening booby-trapped Microsoft Word documents that contain malicious Flash content." Adobe has credited members of the Shadowserver Foundation, Lockheed Martin´s Cyber Kill Chain, and MITRE with discovering the malware and bringing it to their attention.
A second threat, CVE-2013-0633, also reportedly works by tricking Windows users into opening a Word document containing malicious Flash content. This malware was discovered by researchers at Kaspersky Labs.
In a security bulletin posted on the Adobe website the company noted:
"Adobe has released security updates for Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh, Adobe Flash Player 184.108.40.2061 and earlier versions for Linux, Adobe Flash Player 220.127.116.11 and earlier versions for Android 4.x, and Adobe Flash Player 18.104.22.168 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system."
"Adobe is aware of reports that CVE-2013-0633 is being exploited in the wild in targeted attacks designed to trick the user into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content. The exploit for CVE-2013-0633 targets the ActiveX version of Flash Player on Windows," it continued.
Adobe further noted that Flash Player installed with Google Chrome will automatically be updated to the latest version, which will include Adobe Flash Player 22.214.171.124 for Windows, Macintosh and Linux; while Flash Player for Microsoft´s Internet Explorer 10 for Windows 8 will also automatically be updated to the latest version.
The question remains as to who actually was responsible, which is often the case with such viruses, but it is also unclear as to who this targeted attack was against. What is clear is that this is not entirely a new threat, but rather part of an existing family of well-known malware.
PC Mag reported that researchers with FireEye Malware Intelligence Lab have analyzed the Word documents used to target Windows systems and identified an action script dubbed “LabyBoyle” within the Flash Code.
This script has the ability to place multiple executable files and a DLL library file onto Windows machines with ActiveX component installed. The attack files appear to have been compiled as recently as February 4, but still come from a malware family that is not new and has been observed in previous attacks.
On the FireEye Blog, a little more information was provided — possibly indicating the source of this malware:
"It is interesting to note that even though the contents of Word files are in English, the codepage of Word files are 'Windows Simplified Chinese (PRC, Singapore).' The Word files contain a macro to load an embedded SWF flash object."
Whether this could suggest that this follows last week´s hacking of computers at The New York Times and The Wall Street Journal isn´t clear, but it certainly could give a hint of the malware´s origins.