Finjan has detected a zero-day attack with exploits made of a vulnerability in Adobe Acrobat/Reader and Flash player.

Finjan's Malicious Code Research Center (MCRC) revealed that by exploiting this vulnerability, the hackers can download and execute malicious code on a victim's PC. The attack is being used on compromised websites that contain a script tag, which loads the exploit from a remote malicious server.

The malicious script uses a heap spray technique to load the attack Shellcode, which loads a malcrafted Flash file that triggers the vulnerability.

It also claimed that the embedded Shellcode in the script loads an obfuscated executable. This is done in order to evade detection by signature-based security products. The downloaded malicious executable creates a Trojan DLL named “wmimachine2.dll” and registers it as service on the victim's PC.

MCRC found that none of the 40 anti-virus products detected it as malicious when the exploit was posted on VirusTotal.

Adobe has claimed that an update for the critical vulnerability is currently being developed and is expected to be provided for Flash Player v9 and v10 for Windows, Macintosh and Linux by 30th July 2009. It claimed that the date for Flash Player v9 and v10 for Solaris is still pending.

Adobe said: “We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX by 31st July 2009.”
Finjan claimed that this delay will leave end-users' PCs unprotected in the mean time.