II. http://www.avertlabs.com/research/blog/index.php/2009/09/14/from-targeted-pdf-attack-to-backdoor-in-five-stages/FireEye Malware Intelligence Lab
Julia Wolf @ FireEye Malware Intelligence Lab
Heap Spraying with Actionscript
As you may have heard, there's a new Adobe PDF-or-Flash-or-something 0-day in the wild. So this is a quick note about how it's implemented, but this blog post is not going to cover any details about the exploit itself.
But apparently there's no easy way to disable Flash through the UI. US-CERT recommends renaming the “%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll” and “%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll” files. [Edit: Actually the source for this advice is the Adobe Product Security Incident Response Team (PSIRT).]
Anyway, here's why… Flash has it's own version of ECMAScript called Actionscript, and whoever wrote this new 0-day, finally did something new by implementing the heap-spray routine with Actionscript inside of Flash. More
McAfee Labs Blog
From Targeted PDF Attack to Backdoor in Five Stages
Monday September 14, 2009 at 12:33 pm CST
Posted by Dennis Elser
As reported by Adobe in July, a Flash vulnerability is being actively exploited by targeted attacks against Adobe Reader. Yes, embedding Flash movies in PDF documents is supported in Adobe Acrobat 9. The idea of allowing Flash movies to be displayed within PDFs isn’t bad if you like your documents spiced up with a bit of interactivity or training videos. From a security perspective, however, this poses yet another attack vector for criminals to take control of vulnerable systems. As history has shown, complexity and feature richness go hand in hand with remotely exploitable vulnerabilities. It is unfortunately no different with this latest PDF feature.