Adobe released a security advisory in which it warns from a zero-day vulnerability within current version of Adobe Flash Player, Reader and Acrobat. Affected are Flash Player 10.2.153.1 and earlier versions for Windows, Mac, Linux and Solaris, the current version integrated in the Chrome web browser, and 10.2.156.12 and earlier versions for Android. The authplay.dll component of current and older version of Adobe Acrobat and Reader are also affected; according to Adobe, the sandbox of Acrobat Reader X prevents from execution of malicious payloads though.
The vulnerability allows attackers to inject malicious code with manipulated documents. Currently targeted attacks are reported by Adobe which use a Word document with a specially prepared Flash Player file (.swf) embedded to infect victims.
The company currently is finalizing a schedule for updated software versions. Until those updates are available, users should take care of which documents they open. Suspicious are documents which are sent without expecting them.
The currently used Word document looks harmless and doesn’t contain any useful information.
The payload inside the Microsoft Word document is a XOR encrypted flash file which is created and executed after opening the document to “C:Documents and Settings<User Name>Local SettingsTemp513.swf”. Inside this flash file there is another flash embedded which actually uses the vulnerability and creates a file called “svchost.exe”.
This “svchost.exe” – which is detected by Avira as TR/Drop.small.hgt – creates two DLL files named “msimage.dat” and “mspmsnsv.dll” and creates a service called “WmdmPmSN”. After that it tries to connect to “lic****.dyndns-free.com”, which is already offline. The malicious DLL files are detected by Avira as “TR/PSW.Agent.wyf” and “TR/PSW.Agent.wya”; the malicious SWF files as well as the Word document are detected as “EXP/CVE-2011-0611”. Avira users thus are safe from the threat starting with Virus Definition File (VDF) 7.11.06.72.