STERLING, VA., May 28, 2008 - On May 27, 2008, Symantec moved to Threatcon 2 based on information that a new and unpatched vulnerability in Adobe's Flash player was being exploited in the wild. Based on analysis of the sites provided by Symantec and exploit sites gathered from internal data, it is clear that an older vulnerability is currently being exploited. The vulnerability in question was found by Mark Dowd of ISS in a paper in which he describes a novel technique for exploiting null pointer dereference bugs.
This exploit has found its way into common Chinese exploit kits that are commonly used in conjunction with SQL-injection attacks. Using SQL injection on a mass scale, attackers are creating tens of thousands of links to the exploit sites with IFrames. Currently, there are at least six sites hosting the Adobe Flash exploits, and these sites are linked by IFrames to countless other sites. Trojans that steal online game information and passwords from services such as World of Warcraft are the typical payload for these exploits.
Users can protect themselves from this exploit by verifying that they are running the most recent version of Adobe Flash, 9.0.124, which was released on April 8, 2008. Since both Internet Explorer and Firefox can be exploited and may have different versions of Adobe Flash, users should verify both versions.
Key facts:
- Exploit vulnerability (CVE-2007-4748) outlined by Mark Dowd of ISS
http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf - In the wild on Saturday, May 24 from a site located in China
- Adobe patched the vulnerability in 9.0.124, which was released on April 8, 2008
- For protection, all users should upgrade to the most recent version
- Exploit impacts Windows users running Flash in Internet Explorer or Firefox
- At least six sites are hosting the exploit; countless other sites are linked by IFrames
- Exploits currently installing Trojans that steal credentials for online games such as World of Warcraft
About VeriSign and iDefense
iDefense provides information security intelligence to the U.S. government and Global 2000 companies, including leaders in financial services, energy, transportation and telecommunications. The company provides customized, actionable, timely and relevant intelligence detailing potential threats, vulnerabilities and security issues directly to C-level executives, general counsels, auditors, senior security managers and staff, and system administrators. Further information is available at labs.idefense.com. VeriSign, Inc. (Nasdaq: VRSN), operates intelligent infrastructure services that enable and protect billions of interactions every day across the world's voice and data networks. Information on VeriSign's responsible vulnerability disclosure policy can be found at: http://labs.idefense.com/legal.php. Additional news and information about the company is available at www.verisign.com.
Trademarks
VeriSign and other trademarks, service marks and logos are registered or unregistered marks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. Copyright © 2008 VeriSign, Inc. All rights reserved.
Forward-Looking Statement
Statements in this announcement other than historical data and information constitute forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934. These statements involve risks and uncertainties that could cause VeriSign's actual results to differ materially from those stated or implied by such forward-looking statements. The potential risks and uncertainties include, among others, the uncertainty of future revenue and profitability and potential fluctuations in quarterly operating results due to such factors as increasing competition and pricing pressure from competing services offered at prices below our prices and market acceptance of our existing services, the inability of VeriSign to successfully develop and market new services and the uncertainty of whether new services as provided by VeriSign will achieve market acceptance or result in any revenues. More information about potential factors that could affect the company's business and financial results is included in VeriSign's filings with the Securities and Exchange Commission, including in the company's Annual Report on Form 10-K for the year ended December 31, 2005 and quarterly reports on Form 10-Q. VeriSign undertakes no obligation to update any of the forward-looking statements after the date of this press release.