Comments on: Flash Zero-Day Attacks WoW http://trailofbits.com/2008/05/28/flash-zero-day-attacks-wow/ 4888 C3C4 099A 4240 9648 719B 84E0 A6FE 32AE 38F6 Mon, 02 May 2011 23:50:01 +0000 hourly 1 http://wordpress.com/ By: Dino Dai Zovi http://trailofbits.com/2008/05/28/flash-zero-day-attacks-wow/#comment-16 Sat, 31 May 2008 01:23:34 +0000 http://trailofbits.wordpress.com/?p=13#comment-16 @anonemouse

Re: GDI, I think you are right about that. I submitted the sample to an online sandbox test and it came back with a clean bill of health (Not malware, go ahead and run it!).

Re: Youtube Flash, I would assume that a well written feature would use signed updates from Adobe. Any website can get the remote flash version, so they could just say, “click this button, which links to https://www.adobe.com/go/getflash” to update to the latest Flash. But Flash already allows some sort of local file writing after the user clicks ‘OK’, install AIR for an example of this. However, you are right that perhaps training users to click somewhere to “update” their software could be a dangerous precedent to set, but with a signature check and proper UI design, it could work I think.

]]> By: anonemouse http://trailofbits.com/2008/05/28/flash-zero-day-attacks-wow/#comment-15 Fri, 30 May 2008 23:58:41 +0000 http://trailofbits.wordpress.com/?p=13#comment-15 Also, I have to disagree with you on the Youtube Flash NAC idea. What makes Youtube trustworthy? Do we really want to train users to trust a pop-up on a website telling them to ‘download an update here’? How should they know to trust youtube.com and not yutube.com?

]]> By: anonemouse http://trailofbits.com/2008/05/28/flash-zero-day-attacks-wow/#comment-14 Fri, 30 May 2008 23:54:06 +0000 http://trailofbits.wordpress.com/?p=13#comment-14 It’s been a while since I’ve done any hardcore RE’ing, but I do remember seeing lots of samples with random GDI function calls. I believe they’re meant to ferret out sandboxing, since a sandbox that implements only a subset of the Windows API probably wouldn’t bother with GDI.

Just a hunch though.

]]> By: Dino Dai Zovi http://trailofbits.com/2008/05/28/flash-zero-day-attacks-wow/#comment-11 Fri, 30 May 2008 02:15:39 +0000 http://trailofbits.wordpress.com/?p=13#comment-11 @John Dowdell

Hi John, thanks for the comment and update. I downloaded the attack from one of the malware sites tuesday afternoon, so they were at least up at that time.

I wholeheartedly agree with the need to run current software and make sure that it is easy for users to do so. If YouTube asked users to click ‘ok’ to have flash self-update to the latest version, I’m sure the vast majority of users would be upgraded pretty quickly. How about it, YouTube/Google?

]]> By: John Dowdell http://trailofbits.com/2008/05/28/flash-zero-day-attacks-wow/#comment-9 Thu, 29 May 2008 16:31:18 +0000 http://trailofbits.wordpress.com/?p=13#comment-9 Hi, it might be good to highlight that using current software seems to protect against any risk, even if those two Chinese servers had not already been shut down by the time the story appeared.
http://www.pcworld.com/businesscenter/article/146396/symantec_backtracks_on_adobe_flash_warning.html
http://blogs.adobe.com/psirt/

(The “20,000 domains” were about an HTML injection which pointed to the servers in China which temporarily hosted the malformed SWF.)

I appreciate the update, but could we highlight the need to use current software…?

tx, jd/adobe

]]> By: Zero Day mobile edition http://trailofbits.com/2008/05/28/flash-zero-day-attacks-wow/#comment-7 Wed, 28 May 2008 21:46:08 +0000 http://trailofbits.wordpress.com/?p=13#comment-7 [...] First up is Dino Dai Zovi’s walkthrough: [...]

]]>