Unpatched Critical Flash Player Vulnerability Possibly Exploited in the Wild

According to the preliminary findings of some security researchers, a new zero-day vulnerability in Adobe Flash Player might be exploited in the wild to infect users with a trojan.

The alert comes from independent security researcher Mila Parkour, who maintains the Contagio Malware Dump blog. Ms. Parkour was also credited back in September with reporting an actively exploited Adobe Reader zero-day vulnerability.

The researcher posted a screenshot of the new attack in action and it looks like the unpatched Flash Player vulnerability is exploited via malicious SWF content embedded in a .pdf document.

Successful exploitation results in two files called nsunday.exe and nsunday.dll being dropped and executed on the system.

According to a ThreatExpert analysis, these files are components of a Wisp trojan variant. Wisp is a relatively new trojan discovered back in March and is capable of stealing information, as well as downloading and executing malicious files.

A VirusTotal scan of the executable, reveals that 15 antivirus engines detect it as malicious, mostly via generic signatures.

It seems like the people behind this threat are used with exploiting zero-day vulnerabilities. Wisp.A was originally distributed via drive-by download attacks targeting an unpatched flaw (CVE-2010-0806) in Internet Explorer.

Adobe's Product Security Incident Response Team has been notified of the suspected Flash Player vulnerability, but it has yet to test and confirm it.

This is very bad news. If the new zero-day is confirmed - and there is a strong possibility that it will - people might be exposed to attacks for weeks.

Even if Adobe quickly rolls out a patch for Flash Player, the vulnerability will remain exploitable through Adobe Reader, which has its own embedded Flash interpreter.

Adobe Reader and Acrobat follow an uniform quarterly update cycle and the next update is a long long time away, being scheduled for February 8, 2011.

The company has broken out of this cycle on multiple occasions to fix zero-day vulnerabilities, but due to their corporate adoption, Adobe Reader and Acrobat releases require thorough testing that takes a lot of time.

Until this is sorted out, it might be sensible for users to disable Flash support in Adobe Reader, especially if they don't need it. This can be done by renaming the "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll" file.

Update October 28: Adobe has confirmed the existence of this vulnerability and has announced a time frame for patches. More here.