It appears that someone took advantage of an unpatched hole in Adobe Flash player, along with a SQL injection attack, to initiate a drive-by download to visitors of some 20,000 websites. The target? “It turns out that the whole attack just steals World of Warcraft passwords...”

Even if you’re not a World of Warcraft player, you may still want to protect yourself from the download. Since the Flash vulnerability is not yet patched, this will require some combination of heeding warnings about dangerous sites and keeping your security software up to date. Or, if you want full protection with a corresponding loss of functionality, you can always uninstall Flash Player or use a browser plug-in that blocks Flash objects.

Two noteworthy exploits have surfaced recently. This blog post will cover: first a server-based attack-tool and second the discovery of a now-patched vulnerability in Flash.

First:

Tornado, a web-based exploit tool, can exploit more than a dozen browser vulnerabilities. ITNews Australia explains that the tool “is commonly installed on a server by a single ‘administrator,’ who then offers accounts on the server to other attackers.” This structure protects the proprietary code and protects it from being released “underground.”

The seller is also able to discriminate between clients, which Liam O’Murchu, a Symantec researcher, sites as a reason that the exploit has remained undiscovered for so long. Shaun Nichols of ITNews writes that Tornado “offers attackers a full set of traffic statistics and options for selecting which exploits can be conducted.”

Second:

Robert Jaques reports for ITNews that a new Flash vulnerability has been discovered by Tier-3. This issue arises from the use of “NULL pointers,” software code which points to specific locations in a computer’s memory. Geoff Sweeney, an executive at Tier-3, is quotes as saying,

“Buffer overflows are still an issue, but they are a problem that has been tackled by the industry for many years. NULL pointer de-referencing has not received anywhere near the same level of attention, which means that users need to be more vigilant than ever.”

A recent paper by Mark Dowd, a researcher at IBM Internet Security Systems, provides a detailed example of this type of exploit. The Matsano Chargen blog explains Dowd’s achievement while claiming that Dowd was “sent back through time to kill the mother of the person who will grow up to challenge SkyNet.” And his accomplishment does inspire some awe. In brief:

“Dowd’s exploit uses a NULL pointer write32 to knock the locks off the bytecode interpreter in Flash, so that his SWF file can run bytecode that will rewrite the system stack.”

So the NULL pointer presents an entry point for Dowd to run his exploit, and this entry exists on Internet Explorer and Firefox, which have compatible internal addressing, and Vista.

According to DailyTechNotes Adobe has already released a patch for the vulnerability and you should download it now. They explain the risk,

“Vulnerabilities in various online software is nothing new. But what makes vulnerability in flash so much damaging is that flash is installed on almost all browsers and it is independent of the operating system you are running.”

Last Monday Information Week carried an article on Adobe’s Flash technology as a potential vector for malware writers to co-opt a computer. “The problem is that [Flash] .swf files are being actively manipulated by malware authors to deliver [malicious] ads, and it’s nothing to do with a particular vulnerability,” Alex Eckelberry, President and CEO of Sunbelt Software, explained to InfoWeek in an email.

InfoWeek states that Adobe released a security update on Dec 18th, the lack of user control means that computers are still at risk of “badvertising.” Due to hightened awareness about malware, its authors have begun to embed redirect links within .swf files. Theoretically those redirects can be screened by network personnel, yet they often fail to recognize the redirect within the ad.

Perhaps user awareness and the presence of competition within the market will encourage Adobe to create a product with more transparency that will return control to the end user.