Malicious Adobe Flash files are making the rounds of some lucky individuals that have been targeted for spearphishing, according to news reports. Adobe has confirmed that the vulnerability exists in its Flash program, and that the infected files have been distributed (so far) embedded in a Microsoft Word document sent as an email attachment. This is reminiscent of another weakness in Flash that was exploited back in March; however in that case malicious Flash files using a different vulnerability were distributed embedded in Excel files.
According to Adobe’s advisory, this newly discovered vulnerability (CVE-2011-0611) could cause a crash and potentially allow an attacker to take control of the affected system.
At Commtouch we were pleased to be singled out by leading security publications like Krebs on Security, eWeek, and Computerworld, highlighting the fact that Commtouch’s Command AV was the only antivirus engine that identified the virus during the crucial “zero-day” period. Of course two days have gone by since then, and other AV engines have since started releasing their signatures for the malware. But two days of exposure is a looooooong time in security terms (remember the phrase “Internet time”? It’s only gotten faster). The March Flash vulnerability had led to the compromise of RSA Security, which just goes to show that every minute counts, and even a company as security conscious as RSA is not immune to a well-crafted attack that combines social engineering (in the form of a highly targeted email) with a technical vulnerability.
A question arose on one of the blogs that if Commtouch alone blocked this virus in its early days, then isn’t it a sign that we are probably overblocking in other cases? In other words, doesn’t such vigilant blocking lead to false positives (i.e. mistakenly calling something a virus when it’s actually legitimate)? The answer is: no, not if you’re careful. The proof is in the most recent Virus Bulletin VB100 certification test, in which Commtouch had zero false positives.
Commtouch’s Command AV uses a holistic approach to security with several threat protection modules that include heuristics and emulation, and provides defense in depth. In this case, a heuristic signature geared towards a specific delivery mechanism for exploits was successful in detecting this brand new exploit. It is an excellent example of how proactive heuristics are successful.