As indicated in FortiGuard Advisory FGA-2010-53, an attack exploiting a critical zero-day vulnerability in Adobe Flash Player was found very recently roaming in the wild. Although the attack vector in the wild is a PDF file, it is a Flash Player vulnerability indeed (Adobe Reader embeds a Flash Player).

After analyzing the PDF sample, we do confirm that the core ActionScript in the embeded flash file, which triggers the exploit, is almost exactly the same as that of an example on flashamdmath.com, as Bugix Security guessed.

Almost? Indeed: the only difference lies in a single byte (at 0x494A, for those who’d like to make a signature based on that ;)), changed from 0×16 in the example to 0×07 in the exploit code:

pic1

What does this correspond to? Simply to an ActionScript Class id sitting in the “MultiName” part of the file (According to Adobe’s ActionScript Virtual Machine 2 Overview):

pic2

So, the original fl.controls::RadioButtonGroup class in the example becomes a fl.controls::Button class in the sample. Thus, at runtime, all references that are supposed to point to fl.controls::RadioButtonGroup actually refer to fl.controls::Button… which, somewhere below, triggers the vulnerability:

pic3

Based on this, it is not extremely challenging to guess how the attacker discovered this 0day vulnerability: Simply by running a “dummy” fuzzer on basic flash files, as many bug hunters are doing. We had already noticed the same thing likely happened for CVE-2010-1297 and CVE-2010-2884.