

Adobe confirms flash 0-day, issues security bulletin - trotsky
https://www.adobe.com/support/security/advisories/apsa11-02.html

======
trotsky
Background on the advisory: [http://krebsonsecurity.com/2011/04/new-adobe-
flash-zero-day-...](http://krebsonsecurity.com/2011/04/new-adobe-flash-zero-
day-being-exploited/)

 _According to sources, the attacks exploit a vulnerability in fully-patched
versions of Flash, and are being leveraged in targeted spear-phishing
campaigns launched against select organizations and individuals that work with
or for the U.S. government. Sources say the attacks so far have embedded the
Flash exploit inside of Microsoft Word files made to look like important
government documents._

Here's a virustotal scan of one of the documents:
[http://www.virustotal.com/file-
scan/report.html?id=1e677420d...](http://www.virustotal.com/file-
scan/report.html?id=1e677420d7a8160c92b2f44f1ef5eea1cf9b0b1a25353db7d3142b268893507f-1302359653)

The fact that one AV engine detected it as a 0-day was the source of
admonishments or congratulations depending on where the observers stood. Until
it was discussed that the one detection was probably an unrelated false
positive.

~~~

Additional artifacts from the attack including the spearphising tease and the
times they were being sent (early morning friday apr 8) - at the height of the
budget battle.

[http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611...](http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-
player-zero.html)

------
dougmccune
I think it's worth pointing out that this vulnerability is being exploited by
people opening Word docs (on Windows) that they get via a phishing email. The
last 0-day exploit against Flash that I saw posted on HN was the same thing
but for a swf embedded in Excel. Not that these things aren't bad, but saying
"Flash 0-day" sounds an awful lot more doomsday-ish than "0-day exploit if you
open an attachment from a phishing email". Not trying to make excuses for
Adobe, but people around here are pretty quick to jump on the overly-dramatic
bandwagon when it comes to Flash.

~~~
peepasaur
Agreed. There some fear-mongering with that type of headline.

Of course, I had no idea that flash could even be embedded in Office
applications.

~~~
edge17
I mean... they just want to look responsible. If they'd toned it down, people
would have accused them of not taking things seriously enough. It's better for
them to seize the situation and own it rather than let the press have a field
day and then spend time having to explain themselves. That's just my 2c...

------
joeyh
Happy thank-goodness-I-removed-flash day. One of the best holidays, since I
get to celebrate it so many times a year..

~~~
beej71
"...and are being leveraged in targeted spear-phishing campaigns launched
against select organizations and individuals that work with or for the U.S.
government"

Perhaps you work for or with the U.S. Government. Information leakage is fun!
;-)

------
jrockway
Man, Flash is like Windows 98 back in the day. Time to take the plunge and
uninstall.

