When Adobe warned customers earlier this week about a newly discovered vulnerability in the Flash Player software, company officials said that there were already attacks underway against the bug. Those attacks are using malicious Flash files buried in Word documents and Microsoft’s security engineers have analyzed the exploits and found some interesting details.
This is the second serious Flash vulnerability in recent weeks that attackers have targeted through the use of malicious Office files. In a previous round of attacks, hackers were going after an earlier Flash zero day with rigged Excel files. This time, Microsoft officials said, not only is the bug different, but so is the attack. Though both attacks use malicious Office files to trick users, the details are dissimilar.
The attack presents to the user via a spam message, often with a subject line referencing the Fukushima nuclear disaster, and carrying a malicious Word document as an attachment.
“Once a user opens the document, Flash Player will load the malicious
file and exploitation will occur. Unlike the previous vulnerability, a
bug in the ActionScript Virtual Machine version 1 is now used in the
exploitation process. Another difference is that this is not a result of
fuzzing clean files. We won’t disclose any detail on what triggers the
vulnerability, for security reasons, obviously,” Marian Radu, Daniel Radu and Jaime Wong of the Microsoft Malware Protection Center wrote in an analysis of the Flash exploit attempts.
“In order to exploit this vulnerability the attackers packaged the
AVM1 code inside an AVM2 based Flash file. The latter is embedded inside
the Word document and assigned with setting up the exploitation
environment. Initially the AVM2 code constructs a heap-spray buffer made of a NOP-sled.”
The next step is the construction of the shellcode, which in turn then loads the Flash exploit code inside the Flash Player.
“The AVM1 code that triggers this vulnerability is loaded as a separate
SWF file, converted from a hex-encoded embedded string and executed,” the researchers said.
The shellcode performs some other tasks, as well, including installing a benign Word document on the compromised machine as a way of hiding the original malicious file.
This attack method is essentially the one that the attackers used to compromise RSA last month and steal some data related ot the company’s SecurID product line.
Related Posts
- Adobe to Patch Flash Zero Day on Windows, Mac on Friday
Adobe is planning to patch the recently disclosed Flash Player vulnerability on Friday for users on Windows, Mac OS X and Linux. The vulnerability is being used in targeted attacks right now that use ... - Flash Player Update available
Just a short notice on the now available Adobe Flash Player Update: Version 10.2.159.1 has been released which fixes the critical security vulnerability which allow attackers to infect computers with ... - WordPress Hacked, Source Code Stolen
Servers belonging to Automattic, which makes the popular Wordpress blogging software, say that their servers were hacked and that the company's source code is believed to have been "exposed and copied... - Adobe Says 0-Day Attacks Hit Flash Via Acrobat, Reader
Adobe has announced that attacks are being committed in the wild exploiting a previously undisclosed vulnerability in current versions of Flash, Reader, and Acrobat.
View full post on PCMag... - Adobe Security Update for Flash Player
Today, Adobe announced the release of a security update for its Flash Player software, which was originally scheduled for release on September 27th. The update was moved up a week, as it addresses a ... - Adobe sounds alarm on Flash zero-day attacks
Less than a week after warning users that hackers were exploiting an unpatched bug in its Reader PDF viewer, Adobe on Monday said Flash, its other prominent program, was also under fire.
View full ... - Microsoft, Adobe Announce Security Tools, Partnership
At Black Hat on Wednesday, Microsoft and Adobe announced that Adobe would be releasing advance vulnerability information to security vendors through Microsoft's existing MAPP (Microsoft Active Protect... - Microsoft Announces Security Tool and Adobe Partnership
At Black Hat today Microsoft and Adobe announced that Adobe would be releasing advance vulnerability information to security vendors through Microsoft's existing MAPP (Microsoft Active Prote... - Adobe Flash malware in what appears as phishing emails
MX Lab intercepted some emails that appear to be genuine phishing emails but when investigating the included URLs further, they are in fact an attempt to install malware on a computer in the form of a... - Adobe Flash Player 10.1 – Security Update Available, (Wed, Jun 16th)
Please patch those flash players as soon as possible.
Last week Handler Deb Hale posted a diary speaking to some Adobe proof of concept malware in the wild.
http://isc.sans.edu/diary.html?story...
Posted on 13 April 2011. Tags: Adobe, Application, Attacks, flash, Malware, Microsoft, RSA, Security, Vulnerabilities, Web
The above information is reprinted from and copyrighted © by threatpost - The First Stop for Security News.
