Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.
I was just browsing youtube when I got a notification from NIS 2008 about an intrusion attempt called "HTTP Adobe SWF Remote Code Exec" that was blocked. At first it said that the name of the computer the intrusion came from was called m1.2mdn.net. I clicked the "history" button to make sure I did'nt get any intrusions before and found no other intrusions. When I clicked the "finish" button I got back to the intrusion notification window and the name of the intruding computer changed to "airdownload.adobe.com". It still had the same IP address as "m1.2mdn.net" though and it was "24.153.XXX.XXX, 80".
So is this intruding computer trying to disguise itself or is Adobe actually trying to update my flash players? I have flash player 9.0.124.0 which is the latest version that is supposed to be immune against HTTP Adobe SWF Remote Code Exec. I am running Windows XP SP3. I was browsing with Internet Explorer 7.0.5730.11. I also had another website open at the time called
post-apocalypse.co.uk.
According to Norton, HTTP Adobe SWF Remote Code Exec is an actual threat though - http://www.symantec.com/avcenter/attack_sigs/s22964.html
According to your info you have the most updated Flash Player which the Norton Website you referenced indicates the problem was fixed in the newest version, 9.0.124.0.
However, SWF files can have other embedded information, which is what was blocked by Norton. Since you have the most recent version of Flash Player, you should be protected as far as the Flash Player is concerned.
Perhaps you could check each site individually, both YouTube and the other site you mentioned to see which one is trying to generate the download.
Well I checked everysite I was on lastnight and nothing. Even if I am immune to this type of intrusion thanks to my version of Flash Player, is it still possible for someone to deliberately try to attack me with it? Even if the intrusion would be totally useless?
Gravel,
Anything is possible, however since Norton is doing it's job and blocking remote code execution, I would feel confident that you are safe. Just keep your Norton up to date with the Automatic Live Update feature and run regular full system scans at least once per week.
Safe surfing is also part of the key.
If you get any more warnings from Norton, let us know and try to identify which website triggered the warnings.
Best Wishes.
I don't suppose someone from Norton could investigate that IP address where the intrusion was coming from?
Hi, it’s happened again. This time while visiting IGN.Com a legitimate game review website. NIS told me it was coming from the same website. I’m really starting to think that this is a false positive that Norton needs to resolve with Adobe.
Okay, following up on my previous thread regarding HTTP Adobe SWF Remote Code Exec intrusion attempts from legitimate websites - [Mod note: removed link, due to merged thread link was circular.] I've had PMs from an admin (Tony Weiss) regarding the events described in that previous thread, but I have not heard anything back for a while now.
I told Norton to stop notifying me of these attempts, so I decided to look at my history to see if there were still any of these supposedlly false positives coming from legitimate websites. I checked and noticed that the latest HTTP Adobe SWF Remote Code Exec intrusion attempt was coming from a computer called www.symantec.com! It's IP address was 24.153.19.144, 80.
Okay, it's nice of you to merge this thread. I'm glad a mod noticed it but, I still have not heard anything from you guys regarding this bug in a while. I hope whoever merged my two threads actually took the time to read my posts especially my recent one. Also, can one of you mods please change the title of this thread to "HTTP Adobe SWF Remote Code Exec intrusion attempts from LEGITAMITE websites"? Since it's not just Adobe anymore? Thanks.
Hello Gravel,
Thanks for letting us know about this. We have been able to identify this issue and reproduce it in-house. We're currently looking at resolving this issue for the 2008 release.
Have you tried updating to the 2009 release? You can do so at http://www.norton.com/nis09 . While it may or may not correct the issue, chances are it might. Let me know if this helps the situation.
Thanks, I appreciate your concern. It's always good to know that our posts are being read and taken seriously.
I currently have NIS 2008. By "release", do you mean the next intrustion prevention signatures?
Thanks again.
Hi,
I'm new to this forum and am experiencing the same problem as the original poster on a PC running NIS 2008 with Win XP Pro/SP2 and IE7. However, it is not happening with NIS 2008 on my laptop running Vista Home Premium/SP1. Both computers are connecting to the internet via a wireless home network and are patched with all the latest updates from Microsoft. I presume I have the latest version of the Adobe Shockwave Flash Player but I'm not sure - how do I find this information?
The firewall notifications regarding the HTTP Adobe SWF Remote Code Exec intrusion attempt started only at the end of August this year and I've had about 4 of them - all inbound. However, today I had a firewall notification telling me that an outbound intrusion attempt from my desktop PC had been blocked when I tried to connect to a perfectly legitimate website for ordering Nespresso coffee. I had accessed the site via an e-mail I received today from the Nespresso Coffee Club - again perfectly legit. The website in question uses Flash. This is the first time I have received an outbound firewall notification concerning this Flash problem. Should I be worried or is there a bug in the Adobe Flash Player? I tried to replicate this on the laptop running Vista but did not receive a firewall intrusion attempt notification from NIS.
Thanks,
Debbie
Debbie,
I recommend you go to www.secunia.com and utilize their online scan or download their free personal scanner. The software tells you which of a host of common products are out-of-date or insecure and provides links for getting the latest versions. I've found it very useful and easy to work with.
They will tell you for sure if Adobe Flash is out-of-date or needs to be updated.
The only place you might experience confusion is if you have an "insecure" program located in an original system restoration file (which most new computers now have). Secunia tells you what folders the troublesome programs are in; and if you see they are in a restore section of your computer or a subfolder of some other product, you can tell Secunia to ignore it in the future since the product is not "active".
Hi catwoman8950,
This SWF blocking notification could be the result of a "driveby" attempt to infect your computer, or it could be a misinterpretation. I have had a similar event or two and I am running NIS2009.
I know that Tim Lopez from Symantec is looking into the issue and hopefully we will get a clarification shortly. If you check your Intrusion Prevention history logs in NIS, the outbound attempt by your computer may also show that there was an "attacking url" - listing the website that was trying to start the SWF remote code execution.
Until a clarification is posted, you are protected as NIS is blocking this action. If something needs to be tweaked in NIS, I am sure that will be forthcoming
You should check that you have the most recent version of Adobe Flash Player as it does not always update itself.
You can go here to check your version; it will appear in a small box. Or you can do it manually by:
Go to Start > Control Panel > Add-Remove Programs and then click on Adobe Flash Player 9 Active X. Once highlighted, select "Click here for Support Information. That should then show you your version. The most recent is 9.0.124.0.
If you have an older version, you can go to the Flash Player Update site here to update your product. Just be careful on this update site because there is a default offer to download the Google Toolbar if you don't have it. It is not required for the Flash Player Update.
Hope that helps.
EDIT: I was typing as mijcar was posting - good idea there too.
Hi,
Thanks for the advice so far. I do not have a standalone version of the Adobe Flash Player installed but I checked in my Windows downloaded progams directory and the version of the Flash object file is indeed 9.0.124.0 which was created in March 2008. I have also done a WHOIS trace on the IP addresses of the inbound intrusions and with the exception of one from Doubleclick-net, they all point to Akamai Technologies which is some sort of Adobe Download Manager. I do have various Adobe programs on my PC including Photoshop CS3 and Acrobat 7 Pro. The same programs are installed on my laptop running Vista but I have not had any of these intrusions noted there. The latest intrusion notification listed me as the attacking computer but the IP address shown is for Internet Assigned Numbers Authority (IANA) and the attack was directed at Akamai Technologies.
Debbie
Okay, now things are really getting weird. I checked my recent history and two days a ago NIS says it blocked a HTTP Adobe SWF Remote Code Exec intrusion FROM my computer TO SYMANTEC.COM(24.153.19.206,80)!!
And yes, i do remember visiting symantec.com myself at that exact time.
I am also getting notifications that Norton is blocking HTTP Adobe SWF Remote Code Exec and that the attacking computer is my computer, the target is hs.interpolls.com which is some kind of advertising serving company.
A full scan by Norton doesn't find any infections on my computer, so I don't understand what on my system is attempting to "attack" interpolls.
I'm not sure what to do with this, and hope somebody can provide some advice.
When I started getting this bug, some of the "attacking computers" were from advertising servers that controls ads on legitamite websites such as IGN. IMO, it is very possible that you were visiting a legit website that uses interpolls as its ad server and somehow NIS thought your computer was attacking. The same reason (which we still don't know) why NIS thought my computer was attacking symantec.com when I was visiting it.
I suggest you provide the admins with the IP address of the target computer either here or through a PM. It will help them get to the bottom of this.
This only happens when I go to the internet movie database - imdb.com and go into a page for a movie. It isn't happening on every movie page, but one it happens on every time is Waitress (2007).
Norton says it is blocking an attack coming from my computer on different ports, such as 2398 or 2464, and going to 207.246.192.48 or 207.246.192.40 on port 80.
I have all the most recent versions of flash and Shockwave Flash player installed. I also downloaded the Secunia software mentioned in one of the above post, and updated a couple of the programs it flagged.
It would be helpful if Norton identified the process that was initiating the traffic it was blocking.
I have another computer with the same version of Norton, very similar configuration that does not get this warning. The one difference is that the one getting the message is running IE6, the one free of messages is running IE7.
Here's another gripe - off topic. I wanted to see what Norton product I am running and can't find anything on any of the Norton screens that identifies it. I think it's NIS 2008, but not sure. The best I could do was find that it is version 15.5.0.23, but not if it is NIS 2007, 2008 or 2009.