An unpatched bug in Adobe Systems' Flash Player software is being exploited by online criminals, Symantec reported Monday.
"We've seen a new, previously undisclosed vulnerability in Flash that is actually being exploited in the wild," said Oliver Friedrichs, a director with Symantec Security Response.
The attacks are relatively widespread, too, according to McAfee. Criminals have hacked into about 220,000 Web pages and added scripts to these pages that redirect victims to one of at least 57 Web servers that actually serve up the attack code. Once a computer has been compromised, the attackers try to install several malicious programs, such as remote-control botnet software and programs designed to steal World of Warcraft usernames and passwords.
The attack servers were not always live Monday, popping on and off the Internet all day, said McAfee Security Research Manager David Marcus.
The hacked sites that redirect victims to the attack servers include the Web pages for small towns, businesses or nonprofit organizations, Marcus said. They were probably hacked with an automated tool that used Google to search for pages vulnerable to certain types of Web attacks, he said.
Although antivirus products such as McAfee can block the attack code, as well as the software that it's designed to download, it's worrisome to see such a widespread attack on an unpatched flaw, Marcus said. "Something like this is probably going to be pretty successful."
Few details on the bug itself are available, but the flaw lies in the latest version of the Adobe Flash Player browser plugin, which is widely used by Internet surfers to view animated Web pages. The flaw affects both the recently released Flash Player version 9.0.124 .0 and version 18.104.22.168, according to an advisory posted Monday to Symantec's Security Focus Web site.
If the attack fails for some reason, it will probably crash the browser. Symantec is not aware of any vendor-supplied patches for the flaw.
Symantec is testing the Flash attack code and has confirmed that it works on Windows XP, Friedrichs said. "This particular attack is targeted toward just the Windows platform," he said. "If it's a broader vulnerability, it may also be present in the flash plugins on other platforms as well."
Flash Player runs on several browsers and can be used with the Windows, Mac OS X, Linux and Solaris operating systems.
Flash bugs have lately been a favorite of attackers. Adobe last month patched seven bugs in Flash Player, including the one that allowed hacker Shane Macaulay to win a laptop and US$5,000 for hacking into a Windows Vista machine in a March contest at the CanSecWest security conference.
In January, Adobe and other Web-development-tool vendors had to fix bugs in their development tools that created buggy Shockwave Flash (.swf) files that could be exploited in a cross-site scripting attack. This attack can be used by phishers, but it also gives the bad guys a nearly undetectable route into a victim's bank account or almost any type of Web service.
Last year, Symantec tracked close to 500 vulnerabilities in plugins such as the Flash Player. And cyber criminals have also exploited bugs in Real Player and Apple's QuickTime multimedia player in high-profile online attacks.
When contacted Monday, Adobe could not confirm the details of Symantec's report.
"We are working with Symantec to investigate the potential SWF vulnerability," an Adobe spokesman said in an e-mail interview, "and will make more information available as soon as we know more."
The company is promising to post this information on its Product Security Incident Response Team blog.
[Updated 4:19 p.m. PT: Update replaces former paragraphs 2 and 3 with paragraphs two through 10, containing updated information from Symantec & McAfee. Also adds paragraph 13 with more details on plugin vulnerabilities, and a link to Adobe's security blog on paragraph 16.]