• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
Locked
0

Curious Flash player update

Explorer ,
Feb 19, 2010 Feb 19, 2010

Copy link to clipboard

Copied

Hi, I got a message stating that Adobe wanted to update my flash player and if I would allow changes to my computer today (19.2.210) when I started my machine. I run my computer every day.

I realized that the update request was not signed by Adobe only after clicking yes (silly me)!

That's the info in my Internet Explorer about Flash (I deactivated it after getting suspicious about the update):

Name            Shockwave Flash Object
Herausgeber     Adobe Systems Incorporated
Status          Deaktiviert
Dateidatum      Mittwoch, 27. Januar 2010, 01:58
Version         10.0.42.34

Now I'm concerned about the security of my computer.

Have any other of you received an update today.

If any Adobe personnel reads this, is this update definitely bogus?

Thanks for your help

Tomasz

Views

17.4K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Deleted User
Feb 22, 2010 Feb 22, 2010

Hi Tomasz77, I'll try to explain a little bit. When Adobe or any other Company comes out with an Update, users have a choice in how they update. With this latest FP update, it came out on 2/11/10. I became aware of it on 2/12/10. Now I could have updated on 2/12/10 by going to several of the Adobe sites and updated. I chose to wait for Adobe to prompt me and update that way, because that is how my FP has always been updated. Many users receive not only the FP update automatically but Adobe Reade

...

Votes

Translate

Translate
New Here ,
Feb 19, 2010 Feb 19, 2010

Copy link to clipboard

Copied

new flash player should be version 10.0.45.2

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Feb 19, 2010 Feb 19, 2010

Copy link to clipboard

Copied

Thanks for your quick answer. Well yes, I thought so by looking at the forum. Makes me even more

suspicious

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Feb 19, 2010 Feb 19, 2010

Copy link to clipboard

Copied

Hi Tomasz77, Having read your thread, I would close all browsers, disconnect from the Internet and run a full Scan with

your Anti-Virus/Spyware program.

Then connect back to the Internet and check if the websites are working correctly.

Then test here: http://www.adobe.com/products/flash/about

Post back if you have any questions.

Thanks,

eidnolb

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Feb 19, 2010 Feb 19, 2010

Copy link to clipboard

Copied

Hi, thanks for bringing this to my attention.

However, I think the problems we are facing are different.

Before doing the manual update as you suggested, BOTH Firefox and IE8 showed the old version number. After updating, Firefox shows the new version number, while IE8 still shows the old one, but reports in the link you gave as the new one.

So this remains still open.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Feb 19, 2010 Feb 19, 2010

Copy link to clipboard

Copied

Hi Tomasz77, Who suggested to you to do a manual update? And what link were you given and who gave it to you?

I don't see anything on your thread here to indicate anything of which you speak.

Just trying to clarify the information on the threads.

Thank you for your help in this.

eidnolb

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Feb 19, 2010 Feb 19, 2010

Copy link to clipboard

Copied

Still open


Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Feb 19, 2010 Feb 19, 2010

Copy link to clipboard

Copied

Hi Tomasz77, I am still waiting for you to reply to my post#3 and post#5. That will be helpful since you say it is

"still open"

Please post back, since I'm not sure of the status of your problem. Or what it is you want to do next.

Thanks,

eidnolb

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Feb 20, 2010 Feb 20, 2010

Copy link to clipboard

Copied

Hello eidnolb,

Beside what I have described in my earlier message I have done a system inspection with the SysInspector by ESET

and looked into the results - found nothing looking really suspicious.

Cannot think of anything more to do.

What would help really most is a solid guess how good the chances are that this update has been issued by Adobe and not by some impostor and I'm really worrying about nothing........

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Feb 20, 2010 Feb 20, 2010

Copy link to clipboard

Copied

Hi Tomasz77,   Here is what you need to check. Using IE, go to Tools, click on Manage Add ons. Find a listing that says

Shockwave Flash Object...ActiveX Control....Flash10e.ocx(if vs 10.0.45.2) Flash10d.ocx (if vs 10.0.42.34). I am not sure if you can do this with IE8 or not. I know with IE6 you can. Try it anyway. Click on Shockwave Flash Object and see if there

is on the bottom right a box that says "Update ActiveX". If it does, click on it and see if it updates. A small window with a

graph will run. When it is finished, Reboot your computer. In IE6 this updates that ActiveX, whether it will or not with IE, you'll know. If it doesn't then we need to take a look at the Flash Player files.

One other thing on this Shockwave Flash Object. In your Post#1, you said you "deactivated" it after you became suspicious. Now anytime there is an Uninstall or Install of any program or like Flash Player, one must always Reboot for the changes to take effect. By "deactivating" this I think that stopped the process. If the above trying to update the SWO does not work, make sure it is Enabled and then Reboot(restart) your computer, before checking the Flash files below.

Go to C:\Windows\System32\Macromed\Flash.  Open the Flash folder and post back every listing.

Since you have run several Anti-Virus Scans and ESET is very reliable, in my opinion you are ok. Now the trojan that was found was PRIOR to you receiving a prompt from Adobe and even then it was isolated by your Anti-Virus program.

Had an "imposter" tried to download something, why would they download the Adobe Flash Player, when they could have tried to download something worse? Your Anti-Virus caught the Trojan, and probably would have caught the "imposter"

That is just my opinion and based on how spyware and viruses work, in addition to you running scans and nothing was found. I don't know what Anti-Virus you have installed on your computer, I use Avast  and can Scan each and most every file. Can you do that with your installed program?

Keep in mind also that Adobe and Microsoft use secure servers to download and since Adobe just came out with an update for Flash Player, many people are getting prompts. I received one myself and some of my friends have as well.

See about the above and post back.

Thanks,

eidnolb

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Feb 21, 2010 Feb 21, 2010

Copy link to clipboard

Copied

Hi, here a first reply since your answer is from yesterday already....

Slept badly and wasted the morning an a false positive given by Malwarebytes' Anti-Malware

I will look into your answer more thoroughly after a quick noon nap....

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Feb 21, 2010 Feb 21, 2010

Copy link to clipboard

Copied

Thanks Tomasz77, that is fine, no rush. I'll be off and on the forum today.

eidnolb

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Feb 21, 2010 Feb 21, 2010

Copy link to clipboard

Copied

Hi eidnolb,

first of all: thanks for all your work you invest in this.

Here my answer to your remarks:

1) There is no update button in IE8. I used the Adobe "uninstall_flash_player.exe" in the meantime to delete both the Firefox plugin and the IE8 ActiveX control. I reinstalled both again from the "get.adobe.com" website. You'll find a listing of my "macromed" folder attached to this message, it is located in the "C:\windows\syswow64" folder on my computer.

2) When installing the IE8 flash player, I noticed a curious thing happening:  I could view a second entry in the Tools/Add On Dialog Box of IE8 directly below the flash player entry, which was vanished when I looked a second time. The control this entry referred to is gp.ocx, which is signed by Adobe. Please see the attached jpeg for the directory where this control is located (the directory path is <C:\Program Files (x86)\NOS\bin>). Do you have the same on your computer?

3) I run ESET NOD32 and yes, I can do a complete check of memory/harddisk. As stated in my previous message, I also ran a complete system check with  Malwarebytes' Anti-Malware.

4) Regarding the imposter thing: I'm just worried somebody recorded my computers address when the first attack failed and attempted a second one. It all depends on how automatic update requests via Internet work: If they are only started by background processes on my own computer (repeatedly checking if an update is available) or if one can initiate something like this from "the internet". I do not really know very much about this.

5) When did you receive your update for flash player? Do you still know if in the initial window starting the update process the program was signed or not?

Thx a lot

Thomas

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Feb 21, 2010 Feb 21, 2010

Copy link to clipboard

Copied

Hi Tomasz77, IE8 is restrictive so that is why you couldn't update the ActiveX.

Your#1. I have never manually installed Flash Player; mine is installed from the prompt. However, I am aware of the various Adobe sites to install. The one you used has the DLM that is used in addition to the GetPlus/Nos. Not the best site to D/L from in my opinion. For very large files is what it is for from my understanding. I saw them in your Flash folder.

2. Yes, the gp.ocx is the GetPlus activeX. No I do not have this on my system. If I did I would remove them all:-) You saw that for a moment from the Detail box I would think. Why I don't know, it still installed.

3. good

4. The nature of a trojan is to installed itself, but it did not, your anti-virus stopped it and isolated it. On the update process, Adobe I would think would advise of updates directly to your computer by secure servers just as Microsoft does if you have Automatic Updates permitted.

Even if you go to Microsoft and install manually, same thing. You can be sure these servers are well protected. An imposter would have to have a lot more info than your IP address. Any website you visit gets that anytime you access it. These bad guys automatically search for insecure computers, not a one on one basis. Just like you sometimes receive a recorded phone message, if you answer you hear it, if you don't there is no connection made. Same thing with the trojan, it rang, your Anti-Virus answered the call. Ha-Ha

5. I received my first prompt from Adobe on 2/18/10, but was busy, so clicked on the "Remind me later" option. No, I don't know if it was signed or not and have never known in all the times FP has been updated. I have never worried about that. I don't think a bad guy is going to install a perfectly working Flash Player on my system, he wants more than that and if he got it, I'd have more problems than Flash Player.

No, in my opinion you are fine, your Flash Player files are all correct. As far as some things not signed, I have a couple of add ons that are not signed. In fact I use a Brothers 4 in 1 and it's not signed and Dell Support(which I'm sure you have also) is not signed. But you can be sure my Anti-Virus and very important programs are.

If I were you I'd relax and if there is a problem down the road, cross that bridge when you come to it. It all looks good as far as I can see.

The only thing is there is no need for GetPlus/NOS/ and if you decide to remove them the gp.ocx will more than likely remove when you remove GetPlus/NOS from Add/Remove.

Take care,

eidnolb

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Feb 22, 2010 Feb 22, 2010

Copy link to clipboard

Copied

Hello eidnolb,

thanks for your answer. I only wished you had given me the info a bit earlier that you also received an automatic update request, that would have spared me a bit of time and sorrow.

I think there is one last thing to clarify: Got an info from Adobe support that the automatic update request should have transferred me to flashplayer download page at get.adobe.com. I think this would be very unusual, the normal way of things is that the program or control just gets updated after you click OK to the automatic update request. Did you get transferred to the website?

Thx so far

Thomas

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Feb 22, 2010 Feb 22, 2010

Copy link to clipboard

Copied

Hi Tomasz77, I'll try to explain a little bit. When Adobe or any other Company comes out with an Update, users have a choice in how they update. With this latest FP update, it came out on 2/11/10. I became aware of it on 2/12/10. Now I could have updated on 2/12/10 by going to several of the Adobe sites and updated. I chose to wait for Adobe to prompt me and update that way, because that is how my FP has always been updated. Many users receive not only the FP update automatically but Adobe Reader in the samer manner. I receive a prompt for Adobe Reader updates also.

My Avast Anti-Virus does the same thing when a new version is available. A pop up comes up and tells me a new version is available. At that time I can click on it and Avast will update to the new version. Now, I also can go to their website and update from there. Microsoft is the same way. Many users have set their system for Automatic Updates, which whenever Microsoft has any update for Windows or IE it will be downloaded and updated automatically. I have chosen to have Microsoft advise me updates are available and choose which update I want and when. Now likewise, I can also go to the Windows update and download that way.

When I receive a prompt from Adobe for Flash Player or Reader, I am not sent or transferred to any website. It is all done automatically, I just watch what is being done until it is finished. Then I go to my Flash folder to make sure the correct files have been installed, go to manage add ons to make sure Shockwave Flash Object has been also and Reboot. My opinion is that the person that told you that you would be transferred to a website during the process of the install via the prompt was/is mistaken. Makes no sense, what's the point?

In your first post, you said you noticed that the update was not signed by Adobe and you deactivated it. The only way you could have checked during the uninstall and install was to have stopped the process and therefore the update was not finished. Then in your post#9 you said you updated IE & FF. At that point you should have used the Uninstaller first. Then in post#14, you used the Uninstaller. Then you installed FP, using the "get.adobe.com" site. That site has the DLM/GetPlus/NOS installer.

I hope this has answered all of your questions.

Thanks,

eidnolb

Message was edited by: eidnolb  add'l

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Feb 22, 2010 Feb 22, 2010

Copy link to clipboard

Copied

Hello eidnolb,

Yes, thank you, I think this answered (nearly) all of my questions.

I would still like to know why Adobe sends unsigned automatic update notifications, signing or somehow being able to be easily checking the credibility of the update would have saved me some headaches.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Feb 22, 2010 Feb 22, 2010

Copy link to clipboard

Copied

Apparently, the unsigned notifications are now exploited by a spam reaching me every day, and whose HTML content is only:

<embed height="360" type="application/x-shockwave-flash" width="634" src="http://www.users.qwest.net/~benpeg72/Secure/wanadoo.swf">

WARNING! This is a worm that activates with a simple mousehover. Don't try it if you're not experimented !

(the URL for this Flash Video object changes daily, it is sent in a spam whose title is for now "hollaa!" but this could change at anytime, there are LOTS of alternate mirror sources of this SWF, with variable file names and on a lot of hosting domains and user webspaces).

This immediately wants to run an update of Flash to the current version (that I already have), but this forced download is definitely not the original FlashPlayer from Adobe.

Really, the problem is in Flash Player that activates the malicious action immediately without any user action, just by previewing a mail. Thanks, I'm using Google Chrome and not IE as my default web browser. The result of this Flsh object may be catastrophic in IE, I did not try to see what would happen in IE.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Feb 22, 2010 Feb 22, 2010

Copy link to clipboard

Copied

Hi Verdy, well clearly this is not coming from Adobe. Everyday the bad guys are at work and the Anti-Virus programs are constantly updating to battle this. I don't see what Adobe could do to combat spam.

Microsoft just took a lot of heat with an update that was being blamed to cause the BSOD for XP users that installed the Windows update. They investigated and the cause was a Aurelon Rootkit infection that was already on the computers that were having a problem. This Rootkit infection was able to change the Windows Kernel and the system was unstable then the update was an "effect" not the cause. Microsoft went to people's houses that reported these problems and got the hard drive info and ran multiple tests and were able to verify the exact problem.

As anyone knows, a rootkit infection is a very serious matter and Microsoft did an excellent investigation to find the cause. Also, other XP users that did not have the Rootkit infection, installed the same update and no reports of any BSOD has been reported. And Microsoft verified all of this in their testings.

Perhaps before we blame Adobe we might want to wait and see if something that Microsoft just experienced has not happened.

Spam is known and can be malicious of course. It is not the Flash Player update at fault, because many people are updating and have no problem at all. I certainly have not.

I don't know in what form this spam came to you but the bad guys are always trying new ways.

Thanks

eidnolb

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Feb 22, 2010 Feb 22, 2010

Copy link to clipboard

Copied

I didn't say that the original Adove FlashPlayer was malicious or bogous. But I'bve still never seen a SWF file activated this way from a spam. Before, it alwyas required a user action to activate it, so the spams used "social engineering" to convince recipients to open the attachment or to activate the component.

This time, this is not necessary, the component starts running immediately and starts playing in the local zone without an explicit user action. That's why I think that there's a new security hole exploited, or that there's an incorrect assumption in the security checks performed by FlashPlayer before it activates the script stored within the SWF file (which is loaded from an external domain (not related to the webmail domain or to the local untrusted zone of a local mail client).

Flash is supposed to be loaded by the <embed> element in an HTML mail from within an unsecure zone (notably if the email itself is not digitally signed from a secure domain): it should have the strict minimum authorizations: it should not run, it should just be able to render the first frame of static objects, but no user action should be allowed.Activating "onmousehover" events immediately is a severe security hole in this case: I thought this was the case, but visibly, the malware authors of this SWFF have found a way to circumvent this restriction, and exploit it.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Feb 22, 2010 Feb 22, 2010

Copy link to clipboard

Copied

Thanks Verdy, I read your info here before the more detailed info on your thread. I misunderstood here what you were

saying, sorry. Didn't quite have the understanding that I have now after reading your thread.

I'm surprised that a mere "mouseover" triggers this. Is Tomasz77's suggestion on no HTML a possible answer?

It certainly appears to me that the responsibility for this lies somewhere. That's more than I can sort out, but those that

can should.

Thanks for explaining this and that may be what Tomasz77 was involved in.

Hopefully, some of the more experienced Adobe employees and contributors will respond.

eidnolb

Message was edited by: eidnolb  add'l

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Feb 22, 2010 Feb 22, 2010

Copy link to clipboard

Copied

Well I need to be able at least to have a safe preview. And on a webmail, there's simply no preview mode where HTML rendering can be disabled, in order to just show the plain-text code. In this preview mode, all Javascript in the HTML is disabled, lots of components become inactive, and a few <embed> elements are allowed, but loaded by disabling the auto-play parameters (notably of Flash).

Flash is then supposed to be loaded but not allowed to run, it can just attempt to render the static elements and possibly only the first frame of a video (we should need to click somewhere to play it).

I confirm that the mere "mouseover" action is enough to play the Flash object. And it is not tolerable, because the Flash object covers almost all the surface of the window: right-clik on a message to preview, it opens, but immediately, you don't have the time to place the mouse cursor out of the rendering area before the SWF gets loaded. So Flash intercepts a mouseover on the new HTML page that appears. This event should not trigger anything. This is not the case here. And one of the actions is to automatically download a supposed "FlashPlayer" installer (with the latest version), but I don't know where it comes from. There's not even any confirmation that the browser can intercept, because all happens within Flash that the browser annot control itself. The Flash object here is used to open a new browser window on a new (unknown) URL for the download, as if the user itself had followed an active link from a local application (for example like when activating a shortcut on the desktop).

All happens as if Flash thought that the user initiated the download, and the web browser also does not detect it (I don't see the normal browser yellow-bar alert at the top of the window that should happen before such download starts). Yes I can still block the download, only because I have set the browser to ALWAYS ASK for the target folder of downloads, and NEVER proceed it immediately. but this is not ideal, and I need to cancel it : this requires centering the mouse on the screen to reach the cancel button or the close button of the "save as..." dialog. But as soon as the "save as..." dialog closes, the mouse is now on top of the Flash object, which retriggers immediately the "mouseover" event, which reopens a download.

This is really irritating. And prone to errors made by users that may finally accept it by accident, or just to terminate an infinite loop of retried downloads.

Flash should really NOT honor the "mouseover" event by default. Only a "mouseclick" on the Flash object can be a convincing event, that can be forwarded to the SWF content. All Javascript within the SWF should then be completely inactive before this effective click.

This attack seems to work now (given the rate at which I receive this spam now), because it requires absolutely no social engineering. It just runs without permission.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Feb 23, 2010 Feb 23, 2010

Copy link to clipboard

Copied

verdy_p wrote:

This time, this is not necessary, the component starts running immediately

The <embed> tag you are showing does not have a play="false" attribute, so that is expected behaviour. The tag attributes technote clearly says that the default is true.

and starts playing in the local zone without an explicit user action.

How did you ascertain that it was in the local zone? What else do you have in your local zone and in your trusted zone?

Apart from your ascertion it is in the local zone, which may have a perfectly sensible explanation, I really don't see anything special in what you describe. It is just a .swf that opens a popup window with a location that happens to be a .exe file. And just like would happen if the opening of the popup window were done through Javascript from the onload event, any decent popup manager will suppress the popup.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Feb 23, 2010 Feb 23, 2010

Copy link to clipboard

Copied

You did not see the issue. The download starts on a mouseover event. Even if the video starts "playing" it just contains a single frame with a poor resolution. The file is too large for this single frame, notable after the compression from SWF to SFC (220KB is too much for just a single frame and a basic static GUI interface with a few simple buttons).

The rest is certainly a complex script that will attempt to bypass the security tests (based on counting stack frames, something that could be easily exploited by an uncaught exception within the Flash Player renderer, but trapped at lower level by the javascript).

Note that this is definitely not a simple URL at end of the video. if this was the case, it would open as a normal popup and would be blocked by the browser. Note that the download starts BEFORE the browser actually sees a popup (probably a secondary method to get this same download) and displays an alert.

And anyway, Flash Player 10 is supposed to restrict the use of popups and file downloads in ActionScripts, as long as there's not been any activation by an explicit click. Here a mere "mouseover" is enough, this should not have worked. This is a bug in Flashplayer10 which defeats one of its documented design requirements (this vulnerability existed in Falsh Player 9, and Flash Player 10 was explicitly modified to change the requirement: no internet interaction is allowed before activation, the only data usable is the one within the SWF file itself, the Actionscript should be completely stale, with the javascript engine blocked or possibly even not instantiated at all, before activation in Flash Player 10; before this activation, falsh Player should only use its own rendering and should manage all user events without using any part of the script within that file; it should only render the properly encoded videos, with a strict validation, ans the static GUI objects that make up the GUI interface visible in the Flash component, like here the "Menü" button, and theother play or bolume control buttons should should just be static images).

See also these recent CVE-MITRE/Secunia report about Adobe Flash Player:

CVE-2010-0186
CVE-2010-0187

https://secunia.com/advisories/38547/

"Adobe Flash Player Domain Sandbox Bypass Vulnerability"

I think it may be related to the same bug (and here I think this may be somewhere in the Actionscript transitions/effects specified in the embedded CSS for displaying the static "player" interface, and that will run within the context of the wrong security zone)

I passed the SWF to a SWF validator (the one used by DoubleClick for its advertzing banners), it is correctly encoded, but DoubleClick should never tolerate such SWF in its advertized banners if they can freely open popups and freely perform downloads (saving to local disk, and not just within the unsafe Player cache for its sandbox)

So this SWF is demonstrating that was possible in Flash Player 9 and supposed to be closed in Flash Player 10 by a new security restriction still works as before (and so it can launch the same attacks that occured in last August-September 2009). And it's not surprizing that it is used now to try downloading new versions of a worm that has had many variants during last automn. it took many months by Adobe to design a solution against this vulnerability (and this has caused the development of a FlashBlocker addon for Firefox and IE browsers).

I think that this bug is critical for all commercial advertizing networks delivering ads in Flash format in lots of websites (DoubleClick being one of the most wellknown), because the lack of automatic detection of this behavior means that these ads must once again be manually tested (but the Doubleclick test is still based on what happens when you make an active click, a mere "mouseover" event was not supposed to activate the link within the banner).

The current code also bypasses the popup blockers by reaching another unrelated domain immediately prior to any user activation on the same component within the same webpage and same browser frame displaying the same document. all happens as if the link hidden in the SWF had been explcitly launched from a desktop shortcut or from a browser's "favorite" link these links are not supposed to display a confirmation before reaching an external site, because they are normally launched by an explicit user click or keypress).

"Mouse over" events should only perform actions requiring data from the same domain (for example changing an image by another stored in the same domain, or using scripts loaded from the same domain). They are definitely not explicit user actions. They should not grab the mouse, they should not grab the keyboard input, they should not be able to use the clipboard, they should not be able to read or save data on disk out of the sandbox's temporary storage in the player's cache which should remain isolated in the same domain, they should not be able to open any new frame (window or tab), and they should not be able to access to the container document (to modify its DOM tree and insert HTML elements there), they should not be able to control any other browser's frame (even if they know their name), they should not even be able to read any other file from the browser's cache (which is separated from the Player's cache), except if they belong to exactly the same domain and this domain is in the whitelisted/secure zone.

There are probably several other restrictions where this SWF has exploited vulnerabilities.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Feb 23, 2010 Feb 23, 2010

Copy link to clipboard

Copied

verdy_p wrote on 2/23/2010 9:01 PM:

Note that this is definitely not a simple URL at end of the video. if this was the case, it would open as a normal popup and would be blocked by the browser.

It is blocked in my browser. Have you tried a different browser? The

popup blocker in IE is not as comprehensive as the one Firefox.

Note that the download starts BEFORE the browser actually sees a popup (probably a secondary method to get this same download) and displays an alert.

The download never starts for me. I verified with a packet sniffer

capturing all traffic between me and the internet that there is no

download whatsoever unless I click to allow the blocked popup. And even

then it is the standard browser dialogue.

See also these recent CVE-MITRE/Secunia report about Adobe Flash Player:

https://secunia.com/advisories/cve_reference/CVE-2010-0186/

That was fixed in 10.0.45.2. If you are using an older version of the

Flash Player then all bets are off.

I think that this bug is critical

Since you are not answering my questions as to why you think it is in

the wrong security zone I don't think we are making any progress. And

even if we were making progress, if you seriously think this is a

security issue this is not the right place for it. This is a user forum,

not a vendor forum. Get the source of one of the email messages you

receive that trigger the behaviour experience and send it to Adobe:

http://www.adobe.com/support/security/alertus.html

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines