NEWS FROM THE LAB - Tuesday, April 12, 2011

Limit Flash Exploit Exposure, Uninstall ActiveX Version Posted by Sean @ 15:27 GMT

Yesterday, Adobe issued Security Advisory APSA11-02. The advisory states that:

"A critical vulnerability exists in Flash Player and earlier versions (Adobe Flash Player and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Player and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems."

And… this new vulnerability is currently being exploited in the wild:

"There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment, targeting the Windows platform."

Flash files in embedded in Office?

This attack vector prompted the following question from Brian Krebs: Does anyone know of a reliable way to disable the rendering of Flash objects in MS Office files across the board?

Our thought is why disable what you can easily uninstall?

We don't generally use Internet Explorer, so we don't need the IE version of Flash Player enabled at all. For Flash on the Web, you can use a designated browser (other than IE). Do you really need Flash enabled for Office?

This is what Microsoft Office will prompt when opening a document/spreadsheet/presentation containing embedded Flash content with no ActiveX version of Flash installed.

Some controls on this presentation can't be activated.

The "Non-IE" versions of Flash Player are of course still vulnerable to exploit, but it's harder to image a successful targeted attack (via e-mail) against them, which is probably why current attacks are using Office.

Incidentally, it looks as if the next version of Flash Player (10.3) will include a control panel applet:

Flash control panel applet

Looks promising:

Flash Player Settings Manager

Updated to add: Adobe has revised its advisory. Flash Player for browsers will be updated on April 15th, other versions are to follow later. SANS Diary has a nice table illustrating the update schedule.