Open source software security

Flash 0-day

30 November -0001

Security Focus is reporting a new, as of yet patched, exploit that targets Adobe Flash, are circulating. Apparently a Chinese malware package (MPack exploit kit) now includes attacks against Flash. The trouble thing about the report is that there are few details, and the software in question cannot be patched to prevent exploit (a so-called zero day, or 0day).

Adobe software has a troubling track record on security. The last serious threat to Adobe products was a PDF exploit. Details of the exploit were released on January 20, 2008. At this point hackers were crafting malware that utilized the exploit. Adobe didn't even officially recognize the problem until February 7, 2008. Even after they did own up to the problem it took them until February 13 to offer a patch to fix the vulnerability. More than three weeks passed where malicious code had unfettered access to the exploit. It seems that with Adobe you get a 0-Month, not just a 0-day!

The major problem in addressing security flaws in Adobe products is lack of alternatives. It isn't easy to find a PDF reader that can handle the ubiquitous format, and there aren't any alternatives to the Flash plugin. Flash developers have long touted the fine grain of control that the software gives them, but the reality is that users must install a closed source piece of proprietary software in order to view Flash content.

The only way to defend yourself against this exploit is to uninstall the Flash player. Given the fact that Flash is everywhere, this may make your web browsing diet a lot less pleasant, but it is the only reliable way to prevent your computer from getting infected with malware. Of course, having an up to date anti-virus solution might mitigate the damage by detecting any malware quickly, but if malware authors write new code that hasn't been detected by the anti-virus software maker before then it's quite possible that the malware would evade their signature based detection algorithms.

On a Windows machine you can remove your Flash player by clicking on the Start menu, then going to 'Add/Remove Programs', selecting 'Adobe Flash Player Plugin' and click 'Remove'. While you're at it you might want to remove Adobe Reader and try one of the free alternatives like Ghostscript or Sumatra PDF. There is an open source project called Gnash that aims to be a Flash alternative that would be safe to use. I haven't tried Gnash though so I can't comment on it's usability or stability.

For more reading check out:

http://blogs.zdnet.com/security/?p=1189
http://isc.sans.org/diary.html?storyid=4465
http://www.kb.cert.org/vuls/id/395473
http://blogs.adobe.com/psirt/2008/05/potential_flash_player_issue.html
http://ddanchev.blogspot.com/2008/05/malware-attack-exploiting-flash-zero.html
http://www.avertlabs.com/research/blog/index.php/2008/05/27/flash-player-exploit-update/

Update (9/28 @ 2:30PM EST):

It looks like Symantec is tracking malware in the wild now.