Sophos Cloud Optix
Adobe has issued a security advisory concerning a new zero day flaw (CVE-2011-0611) in Adobe Flash Player 10. As usual this also means that other applications that support Flash content like Adobe Reader and Microsoft Office are also affected.
Brian Krebs wrote a blog post earlier today describing some targeted attacks using a Microsoft Word attachment that had an embedded Flash object used to exploit this flaw.
Mr. Krebs notes that the samples in the wild were largely being used in spear phishing attacks targeting the US Government and related contractors and agencies.
Adobe’s advisory notes that Adobe Reader X utilizes a sandbox which prevents this exploit from working in Adobe Reader X on Windows. Windows machines with Flash installed are still vulnerable through their browsers and other applications.
The vulnerability impacts Adobe Flash Player 10 (all Operating Systems) and Adobe Reader 9 and X for Windows and Macintosh. It does not affect Adobe Reader for Android, Unix or Adobe Reader/Acrobat 8.
The only mitigation at this point is to remove Flash entirely and be sure you are using Adobe Reader 8/Adobe Reader X (Windows only).
Adobe mentioned they are working to release a fix for all affected software as soon as possible, with the exception of Adobe Reader X for Windows.
This is the same stance they took with the last Flash vulnerability that was mitigated through the use of Adobe Reader X’s sandbox.
Personally I find this approach distasteful, and it was one of the concerns I had when Adobe had announced their sandbox technology. It’s great that the sandbox is working against some of these exploits, but it suggests it is ok to consume malicious code because you have “protection”.
It would be better to release security fixes with the same priority regardless of the version of the software.
The observed attack currently only targets Windows users, but once a fix is made available by Adobe I recommend everyone update to the latest Flash software.
SophosLabs have published their analysis, including links to our identities in our knowledgebase.
Probably by making that stance they are making everyone migrate to Reader X so that Adobe doesn't have to face the same problems as Microsoft and it's IE.
Does Sophos currently detect and block/quarantine such an attack using their "endpoint security and control" software?
Given the mitigation strategies are not feasible to implement in most organisations, it is comforting to know that your A/V software detects this type of attack vector anyway.
Yes Nathan, we do detect the samples currently in the wild. I updated the post with a link to SophosLabs vulnerability analysis.
Considering the flaw in v8 is it really wise to be recommending it as a means of mitigation?
Not sure that I would recommend it… It is simply one of the only options that is not vulnerable to this attack.
Oh, what a surprise.
"If you press this button, your computer explodes. But we've wrapped your computer in bubble-wrap so that it doesn't cause too much damage to anything else, so we don't need to fix the button."
Maybe it's time for the "remove all Adobe products" option, but that would also include Google Chrome, which has Flash built-in.