CVE-2012-1535: Adobe Flash Player Vulnerability Exploited with Multiple Emails

As we are all aware, Adobe released security updates for Adobe Flash Player 11.3.300.270 and earlier versions for Windows, Macintosh, and Linux. These security updates address the Adobe Flash Player CVE-2012-1535 Remote Code Execution Vulnerability that could cause the application to crash and potentially allow an attacker to take control of the compromised computer. Adobe has also stated that there are reports of the vulnerability being exploited in the wild in limited targeted attacks distributed through malicious Word documents.
 


 

We have observed these threats since August 10, 2012, and to-date we have successfully blocked more than 1,300 samples. The first sample we saw arrived with the email subject “Reports for AWEML” with an attachment called “[RANDOM NUMBER]AWE Platinum Partners.doc”.

The Word document contains a malicious SWF file with ActionScript that utilizes heapspraying techniques using the shellcode embedded within it. The following excerpt from the SWF ActionScript indicates involvement of a font file that is used to trigger the vulnerability.
 


 

These malicious samples used a similar attack approach except with different email subject lines, body text, and attachment file names. Here are some examples:
 


 

The following graph illustrates the number of mass mailing and targeted attacks that were blocked last week:
 


 

A large number of attacks were sent on August 13. The following graphics break down the email subjects and number of emails blocked on that day:
 

 


 

Even though the attacker managed to generate a variety of emails containing malicious attachments, the emails were unable to get past our Skeptic heuristic engine.

We would recommend that users keep their systems up-to-date with the latest security patch released by Adobe for this vulnerability.