Last month, Adobe had released a security advisory and a product update about a critical flaw affecting Flash Player versions and a vulnerable component, authplay.dll, of Adobe Reader and Acrobat that was exploited in the wild, APSA11-01. The vulnerability that was exploited in the wild in targeted attacks via Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment (CVE-2011-0609).
Yesterday, Adobe has released another security advisory, APSA11-02, alerting users about the same critical flaw affecting Flash Player versions and a vulnerable component, authplay.dll, of Adobe Reader and Acrobat. This vulnerability is currently being exploited in the wild in targeted attacks via Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment.
The vulnerability (CVE-2011-0611) could cause the affected applications to crash and could be used to run arbitrary code. This means that the malicious files could be downloaded or dropped on the affected system.
Adobe currently is finalizing a schedule for releasing updates for the products affected.
Affected software versions
- Adobe Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
- Adobe Flash Player 10.2.154.25 and earlier for Chrome users
- Adobe Flash Player 10.2.156.12 and earlier for Android
- The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems
NOTE: Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by this issue.
ActnS/CVE-2011-0611!exploit is a detection for SWF files capable of exploiting a vulnerability in Adobe Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.2.154.25 and earlier for Chrome users, Adobe Flash Player 10.2.156.12 and earlier for Android.
This 0-day vulnerability was spotted in-the-wild, and an earlier report indicates that maliciously crafted Microsoft Word (176,144 bytes) arrives via an email limited to its target victims.
The embedded malicious SWF contains ActionScript code that is used to fill the heap with NOP sled.
The screenshot in Figure 1 shows the decoded ActionScript, highlighted on the figure shown is the shell code:
[Figure 1 - Malicious ActionScript]
[Figure 2 - Sample injected Shell Code]
The payload is embedded on the Microsoft Word file.
Inspecting inside the file, you may notice that even though the file seems to contain another executable, you cannot spot the MZ header or PE header. That’s because it encrypts the file using a simple XOR. The purpose of this routine is to bypass anti-virus engines that scan embedded executable.
[Figure 3 - Malicious Executable Embedded]
It will then execute the non-malicious file “Disentangling Industrial Policy and Competition Policy.doc” so that users are unaware that their machine has been compromised.
[Figure 4 - Non Malicious Microsoft Word Document]
Reference:
http://www.adobe.com/support/security/advisories/apsa11-02.html
CA detections related to this attack are W97M/CVE-2011-0611!dropper, ActnS/CVE-2011-0611!exploit, Win32/Smalldoor variant and Win32/Poison variant.
To help protect your machines from being infected, never open any files from untrusted sources. This especially applies while the vulnerability remains unpatched. And of course, always update your CA Security Product signature files!
