As indicated in FortiGuard Advisory FGA-2010-53, an attack exploiting a critical zero-day vulnerability in Adobe Flash Player was found very recently roaming in the wild. Although the attack vector in the wild is a PDF file, it is a Flash Player vulnerability indeed (Adobe Reader embeds a Flash Player).
After analyzing the PDF sample, we do confirm that the core ActionScript in the embeded flash file, which triggers the exploit, is almost exactly the same as that of an example on flashamdmath.com, as Bugix Security guessed.
Almost? Indeed: the only difference lies in a single byte (at 0x494A, for those who’d like to make a signature based on that ;)), changed from 0×16 in the example to 0×07 in the exploit code:
What does this correspond to? Simply to an ActionScript Class id sitting in the “MultiName” part of the file (According to Adobe’s ActionScript Virtual Machine 2 Overview):
So, the original fl.controls::RadioButtonGroup class in the example becomes a fl.controls::Button class in the sample. Thus, at runtime, all references that are supposed to point to fl.controls::RadioButtonGroup actually refer to fl.controls::Button… which, somewhere below, triggers the vulnerability:
Based on this, it is not extremely challenging to guess how the attacker discovered this 0day vulnerability: Simply by running a “dummy” fuzzer on basic flash files, as many bug hunters are doing. We had already noticed the same thing likely happened for CVE-2010-1297 and CVE-2010-2884.
it’s very useful article , i known alot of things from it.
it’s very useful article , i known alot of things from it.
with html 5 becoming popular and more popular each day, this flash player will be replace by it.
So glad that flash player is being phased out.
I hope that Flash Player will be more resitence to the attackers in the future.
very critical vulnerability in flash player. hope they will fix it.
This kind of bud is not really excepted.Cyber attract to flash player should be solve as soon as possible.It is a matter of our online data security.