The Adobe AIR and Adobe Flash Player Incubator program updated their Flash Platform runtime beta program to version 5, delivered as Flash Player version 11.2.300.130. It includes a "sandboxed" version of the 32-bit Flash Player they are calling "Protected Mode for Mozilla Firefox on Windows 7 and Windows Vista systems". It has been over a year since Adobe discussed the Internet Explorer ActiveX Protected Mode version release on their ASSET blog, and the version running on Google Chrome was sandboxed too.

Adobe is building on the successes that they have seen in their Adobe Reader X software. Its sandbox technology has substantially raised the bar for driving up the costs of "offensive research", resulting in a dearth of Itw exploits on Reader X. As in "none" in 2011. This trend reflects 2011 targeted attack activity that we’ve observed. 2011 APT related attacks nailed outdated versions of Adobe Flash software delivered as "authplay.dll" in Adobe Reader v8.x and v9.x and the general Flash component "NPSWF32.dll" used by older versions of Microsoft Office and other applications. Adobe X just wasn't hit. IE Protected Mode wasn't hit. Chrome sandboxed Flash wasn't hit. If there are incident handlers out there that saw a different story, please let me know.

The SSL PKI has been in use and implemented for 15 years now to secure online communications. From its initial proprosals and immediate growth, the need for secured online communications has been met with challenges. The infrastructure and protocol itself is showing signs of wear, with multiple attacks and corrections to the scheme itself. And in its 15th year, an alternative to the Cerificate Authority infrastructure is finally being given some competition with the release and debate around Convergence, an open source alternative to the current system of Certificate Authorities. Feel free to right click and download for the full sized version; the graphic below provides a list of some of the major events for SSL/TLS PKI in the past 15 years.

The Democratic Party of Hong Kong's website was compromised and malware uploaded to the web server. Interestingly, the server was distributing malicious flash and spyware nearly identical to the compromised UK Amnesty International servers at the beginning of this month. The server is being cleaned up.

The english version of the website did not include injected iframe links pointing to the exploit.html page, which in turn delivers three different version-appropriate malicious variants of flash detected by Kaspersky as "Exploit.SWF.CVE-2011-0611". The malicious flash was 0day at the beginning of this month, and will be effective on unpatched systems.

Instantly this news became  very fruitful  for all kinds of cybercriminals. Here is  some of the proof we found:

1) SEO optimized Google image searches leading to a malicious site with the exploit for the “Help Center URL Validation Vulnerability”. The exploit drops into the system a malicious executable file which is a password stealer malware. 

At the moment we found it, Kaspersky Anti-Virus detected the sample as Heur.Trojan.Win32 .  Meanwhile the Jotti multiscanner results were 1/20

The exploit also works with Opera and Firefox browsers by dropping into the system a malicious PDF file:

2) SEO optimized for all non-Russian Google searchers leading to Rogue AVs, in particular to “XP Anti-Virus 2011” which  actually  is quite  aggressive in blocking Internet access and extorting money for the activation

The infection scheme is quiet simple: a victim looks for pictures with the topic “Royal Wedding” and when the click comes with a Google reference a special malicious script redirects the victim to a malicious .cc domain with a classic Fake AV window.

3) Scams related to a fake Satellite TV where a victim should pay for the fake service. And of course, the credit card is being stolen once the payment is accepted.

4) Spam on Twitter just abusing TT and leading to misc. junk content sites

We highly recommend using the latest patched Browser with a plugin like NoScript, don’t click on any unknown link, and keep your AV updated and real-time protection working.

Firefox (FF) users should be aware of a use-after-free vulnerability affecting Firefox versions 3.6.11 and earlier. The security team at Firefox has been working on getting a patch out since at least early Tuesday morning, delivering a v3.6.12 release candidate available for brave nightly build developers and testers last night.

A zero day exploit attacking this vulnerability was used at the compromised Nobel Peace Prize website to drop a trojan on unsuspecting visitors' systems, although the 0day was limited in that it did not implement well known ROP or JOP techniques (link to zipped pdf of VB2010 presentation slides) to effectively attack defensive technologies on newer Windows Vista and 7 platforms like DEP and ASLR. It effectively attacked newer FF on older versions of Windows.

To deal with this inadequacy, the attackers' javascript unusually checked for only newer versions of Firefox browsers and older versions of Windows. It only delivers the exploit code for those combinations. The writers must have felt rushed to get this exploit out.

Firefox users also can prevent attacks on the vulnerability by using the NoScript add-on or disabling javascript in their FF browser. Kaspersky Internet Security detects and prevents the exploit code as Exploit.JS.CVE-2010-3765.a.


UPDATE: Mozilla Firefox build 3.6.12 is out! In Firefox 3.6.11, you can click Help -> Check for updates... It includes the patch for msfa2010-73, "Heap buffer overflow mixing document.write and DOM insertion", a problem otherwise described as the previously posted "use after free". Readers interested in technical details of the vulnerability should check out the bug link previously posted above, the report "Interleaving document.write and appendChild can lead to duplicate text frames and overrunning of text run buffers" is now open to the public. Updating Firefox v3.6.11 takes under a minute, but requires a Firefox restart. The browser makes a best effort to restore any tabs that you may have had open at time of restart.

At this point, I suppose the dirty secret buried amongst the "FF 0day are rare!" hype is that the numbers of users hit with this stuff right now are extremely low, for both the Firefox exploit itself and the "Belmoo" trojan that was delivered with it. But now is not the time to be lackadaisical about patching or maintaining security software -- the exploit will predictably be enhanced with ROP (or other DEP/ASLR bypasses) and added to pages all over the web over the next couple of weeks and the following months. Dependent rss reader software is vulnerable too, so expect updates to those packages, and be aware that they run javascript and may be vulnerable.