新闻来源:cbmland.com
今天取到了一份swf格式的exploits，测试了一下在Flash Player 9 .0.115的结果。
Adobe Flash Player 9 .0.115 在播放恶意构造的swf时，会自动下载一个可执行文件并执行，而我拿到的这个swf文件会自动下载一个downloader并运行，然后再由这个downloader下载其他预先指定的木马程序，相当的危险。
这个漏洞出现在Adobe Flash Player 9 .0.115和更早版本，其实早在4月8号，Adobe已经放出了9.0.124的版本更新，也发布了安全公告。问题相当严重，所以务必请赶紧更新到9.0.124版本。

赛门铁克(Symantec)近日发布安全报告称,奥多比系统公司(Adobe)的Flash Player软件存在安全漏洞。据赛门铁克安全聚焦网站一篇报道称,漏洞存在于Adobe最近发布的两款Flash Player的浏览器插件9.0.124 0.0版本和9.0.115.0 版本中,黑客可以利用该漏洞在目标电脑上运行未被授权的PC软件,如果攻击失败,可能导致用户浏览器瘫痪,但赛门铁克公司未透漏更多细节。赛门铁克公司目前不清楚是否有针对该漏洞的补丁出台。
赛门铁克安全响应小组估测,约有20000个以上的网页已经被相关的木马感染,这些网页绝大多数存于中国境内,这些网页大多通过SQL注入的方式被感染.
Adobe公司的一位发言人称,公司正和赛门铁克一起努力查找潜在的SWF文件漏洞,一旦我们有新发现,将会及时为大家提供更详细的报告.

Adobe Flash Player 9.0.124.0 及 Adobe Flash Player 9.0.115.0 均會受影響。
暫時的因應措施可參考 US-CERT 的說明：

引用:

Solution

We are currently unaware of a solution to this problem.

Workarounds for users running Mozilla-based browsers

• Using the Mozilla Firefox NoScript extension to whitelist web sites that can run scripts and accessinstalled plugins may prevent this vulnerability from being exploited.Note that NoScript is not likely to stop all attack vectors for thisvulnerability, see the NoScript FAQ for more information.
• On Linux systems, the Flash player can be disabled by renamingthe Flash plugin. The plugin may be found in several locations,including /usr/lib/firefox/plugins /usr/lib/iceweael/plugins /usr/lib/mozilla/plugins, and is named flashplugin-alternative.so
• Firefox 3 users can disable the Flash plugin by going to tools, Add-ons, then clicking the Disablebutton next to the Shockwave Flash plugin. Note that this setting onlyapplies to Mozilla Firefox, and other browsers such as Mozilla,Konqueror, Opera, and Epiphany will still be able to access the Flashplugin.

Workarounds for users running Internet Explorer

• Applying the kill bit for the following CLSID will prevent the Flash plugin from running:
  {D27CDB6E-AE6D-11cf-96B8-444553540000}
  More information about how to set the kill bit is available in Microsoft Support Document 240797.

Workarounds for web server administrators

• Ensure that security updates are applied to software running on the server.
• Reverse proxy servers and web application firewalls may beable to detect and block some attacks. Administrators may also useiptables string matching to block or whitelest the Flash MIME type(application/x-shockwave-flash). Note that firewalls and IPS systemsare not likely to stop all attacks.
• Administrators and web developers should confirm that thirdparties (such as ad providers) hosting content on their domain are notacting as attack vectors for this vulnerability.

Workarounds for network administrators

• Firewall, web proxies and IPS systems may be able to stop some attacks. For example, iptables string matching or the Squid req_mime_type ACL can be used to block access via restricting what sites can send the Flash MIME type (application/x-shockwave-flash).

相關連結：

Malicious swf files?
http://isc.sans.org/diary.html?storyid=4468

Adobe Flash player code execution vulnerability
http://www.kb.cert.org/vuls/id/395473

Adobe Flash Player SWF File Unspecified Remote Code Execution Vulnerability
http://www.securityfocus.com/bid/29386

掛馬客的最新武器 SWF 0Day Exploit
http://x-solve.com/blog/?p=285

[ 本帖最後由 jammin 於 2008-5-29 00:27 編輯 ]

話說World of warcraft的台灣代理商還特地在登入頁面提醒使用者更新到9.0.124.0
但看來是最新版本也會受影響?

解除警報了吧，一開始諾盾是說9.0.124受到影響是0-day攻擊，後來確定受到影響是舊的版本並非0-day，adobe也曾經在官網解釋情況(用google亂找找到的，我沒記下來Orz)，看樣子9.0.124目前應該是不受到那個漏洞的威脅...

我當初是馬上把FLASH PLAYER整個移除等更新，後來消息更正後才裝回新版，真是嚇死人了...