Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Followup to Flash/swf stories - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Followup to Flash/swf stories

We've received quite a bit of mail about our stories yesterday about the malicious SWF files attempting to exploit older versions of the Adobe Flash player.  So, here are a few of the things that have come out of our discussions.

  1. Our friends over at (thanx, Steven) have a nice writeup that includes a bunch of domains they've noted that have the malicious SWF files.
  2. If you aren't sure which version of the flash player you are using, Adobe provides this page where you can check for yourself.
  3. On closer examination, this does not appear to be a "0-day exploit".  Symantec has updated their threatcon info, as well.
  4. It appears that this exploit may be included in the Chinese version of the MPack exploit toolkit (among others).
  5. In case we weren't clear about it earlier, it appears that the infected web sites check which browser you are using in addition to the flash player version to determine which exploit to deliver.

There are several ways to protect yourself even if you have a vulnerable version of the Flash player.

  • In Firefox, you can use either of the following add-ons, NoScript (one of our favorites, found here or here) or FlashBlock (here or here).
  • In IE, see here for how to set the "killbit", the CLSID is BD96C556-65A3-11D0-983A-00C04FC29E36.

400 Posts
ISC Handler
The CLASSID cited here isn't for any version of Flash, it's for the very-popular-with-the-bad-guys RDS.DataControl BD96C556-65A3-11D0-983A-00C04FC29E36 (MS06-014). Symantec is recommending setting the killbit for {d27cdb6e-ae6d-11cf-96b8-444553540000} ... is there a classid for just the known-vulnerable version of Flash?

Sign Up for Free or Log In to start participating in the conversation!