From the ‘be afraid be very afraid‘ files:
*UPDATED** There is a security exploit in the wild for Adobe’s Flash player for which there is currently no patch – yes folks it’s a bona fide zero day exploit. (*see update at end of post – this report has now been revoked by the security reporting agencies**)
According to a report on Security Focus (they run the Bugtraq mailing list):
An attacker may exploit this issue to execute arbitrary code in the
context of the affected application. Failed exploit attempts will
likely result in denial-of-service conditions.
Wait it gets better.
The Internet Storm Center (ISC) is now reporting malicious sites in the wild that are actively exploiting the issue. ISC handler
Adrien de Beaupre provides gory detail on how one particular site is using the flaw by way of a jpg image.
The latest update from Security Focus alleges that the issue is widespread with malicious code being injected into approximately 20,000 web pages.
Malicious code is being injected into other third-party
domains (approximately 20,000 web pages), most likely through
SQL-injection attacks. The code then redirects users to sites hosting
malicious Flash files exploiting this issue.
This is no trivial exploit – let’s hope that Adobe does the right thing and gets this issue resolved ASAP.
**UPDATE MAY 29 ** Looks like this wasn’t a zero day after all. Secunia and ISC SANS are now revoking earlier claims and noting that the issue was already known. According to Adobe :
This exploit appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 188.8.131.52 (CVE-2007-0071). We strongly encourage everyone to download and install the latest Flash Player update, 184.108.40.206.
While initial reports seemed to indicate that 220.127.116.11 was at risk ISC handler Jim Clausing notes that is not the case:
We have yet to see one of these that succeeds against the current
version (18.104.22.168), if you find one that does, please let us know via
the contact page.