Followup to Flash/swf stories - SANS Internet Storm Center

Followup to Flash/swf stories
We've received quite a bit of mail about our stories yesterday about the malicious SWF files attempting to exploit older versions of the Adobe Flash player. So, here are a few of the things that have come out of our discussions. Our friends over at shadowserver.org (thanx, Steven) have a nice writeup that includes a bunch of domains they've noted that have the malicious SWF files. If you aren't sure which version of the flash player you are using, Adobe provides this page where you can check for yourself. On closer examination, this does not appear to be a "0-day exploit". Symantec has updated their threatcon info, as well. It appears that this exploit may be included in the Chinese version of the MPack exploit toolkit (among others). In case we weren't clear about it earlier, it appears that the infected web sites check which browser you are using in addition to the flash player version to determine which exploit to deliver. There are several ways to protect yourself even if you have a vulnerable version of the Flash player. In Firefox, you can use either of the following add-ons, NoScript (one of our favorites, found here or here) or FlashBlock (here or here). In IE, see here for how to set the "killbit", the CLSID is BD96C556-65A3-11D0-983A-00C04FC29E36. I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Cyber Defence Australia 2022	Jim 423 Posts ISC Handler May 28th 2008
Thread locked Subscribe	May 28th 2008 1 decade ago
The CLASSID cited here isn't for any version of Flash, it's for the very-popular-with-the-bad-guys RDS.DataControl BD96C556-65A3-11D0-983A-00C04FC29E36 (MS06-014). Symantec is recommending setting the killbit for {d27cdb6e-ae6d-11cf-96b8-444553540000} ... is there a classid for just the known-vulnerable version of Flash?	Anonymous
Quote	May 28th 2008 1 decade ago