ZeroAccess Rootkit Launched by Signed Installers

Yep,

That was the reason for the Microsoft communication.

Vulnability is solved by specifiying the path of the Dynamic Load Library.

Most installers create a folder in the Temp library in which stuff is unpacked et cetera. I am not using Adobe Flash anymore (using Chrome's sandboxed version). So I don't recall exactly. I thought that Adobe updated through installer from Temp directory, which explains my 'hunt the egg" assumption (through auto-update).

Problably Adobe has corrected this weakness.

 

I suppose McAfee forgot to mention that the dll wouldn't load? (It seems Adobe corrected this issue for some time now.) Didn't they test it? Didn't they check what version it was?

As I previously mentioned, nothing but FUD. Now, seriously , there should be laws forbidden this kind of behavior.

If people download applications always from the official websites, then they will always get the most up-to-date versions.

Apparently, the most recent version(s) do fix the DLL loading issue.

This article brings nothing new - Uneducated users will get screwed as always... Is there really a reason to blog about such thing, if they have no intentions of educating?

Heck, they didn't even have the decency of providing a link for the official Adobe's website, from where people can get Flash Player. How's that for lame?

 

aigle has tested this at https://www.wilderssecurity.com/showthread.php?t=313494.

 

No doubt you and m00nbl00d are right, that Adobe has addressed this.

Adobe does use the user's Temp directory for its installation process:

There are some other numerical .TMP Adobe files generated, such as 9349.TMP, for example, as well.

 

I downloaded a sample of ZeroAccess from MDL and ran it in Windows 7 x64. It runs a very recent (v11.x) legitimate Flash installer, presumably as a means of getting admin privileges in Vista or later if UAC is enabled and the user answers yes to the UAC prompt for Flash. When run in Windows XP, the same sample doesn't run the Flash installer.