retsecret.blogg.se

1. #TOR BROWSER INSTALL FLASH PLAYER PDF#
2. #TOR BROWSER INSTALL FLASH PLAYER PATCH#
3. #TOR BROWSER INSTALL FLASH PLAYER CODE#

They claim they'll have a patch ready around July 30-31. It appears that the attackers created two different shellcodes as well, one for Firefox users (still have to confirm this) and the other for Internet Explorer users (this one is confirmed to work).Īdobe has released an advisory on the issue here. (FIXED: the VT link pointed to a wrong file)Īt the moment there is a low number of malicious sites serving the exploit, but we confirmed that the links have been injected in legitimate web sites to create a drive-by attack, as expected. Regarding Flash, NoScript is your best help here, of course. It appears that even when JavaScript support is disabled in Adobe Reader that the exploit still works, so at the moment there are no reliable protection mechanisms (except not using Adobe Reader?). At the moment, the detection for both the exploit and the Trojan is pretty bad (only 7/41 for the Trojan, according to VirusTotal). Another interesting thing I noticed is that the Trojan, which is downloaded in the second stage, is partially XOR-ed – the attackers probably did this to evade IDSes or AV programs scanning HTTP traffic.

#TOR BROWSER INSTALL FLASH PLAYER PDF#

This increases the number of vectors for this attack: the malicious Flash file can be embedded in PDF documents which will cause Adobe Reader to execute it OR it can be used to exploit the Flash player directly, making it a drive-by attack as well.Īnd indeed, when tested with Internet Explorer and the latest Flash player (version 10), the exploit silently drops a Trojan and works "as advertised".

#TOR BROWSER INSTALL FLASH PLAYER CODE#

However, the vulnerable component is actually the Flash player or, better said, the code used by the Flash player which is obviously shared with Adobe Reader/Acrobat. Besides being a 0-day there are some other interesting things about this exploit.įirst, several AV companies reported that they detected this 0-day exploit in PDF files, so at first it looked like an Adobe Reader vulnerability. The last one exploits a vulnerability in Adobe Flash player (versions 9 and 10) as well as Adobe Reader and Acrobat 9.1.2. Well, it looks like the last two weeks have definitely been marked by multiple 0-day exploits actively used in the wild.