Adobe Flash Zero-Day Attack Uses Advanced Exploitation Technique

On February 7, Adobe issued a security bulletin warning of zero-day attacks that leverage two Flash vulnerabilities. One (CVE-2013-0634) is related to ActionScript regular expression handling. (Some sources refer to this vulnerability as CVE-2013-0633. We are waiting for Adobe to confirm the proper CVE ID.)

McAfee Labs rapidly responded to the threat. While digging in depth into the original sample, we found that the exploit uses highly sophisticated exploitation techniques to attack various Flash Player versions. It also includes “user-friendly” tricks that give no signs or symptoms to its victims.

The ingenious exploit uses a previously unknown technique to craft the heap memory on Flash Player. With the aid of a regular expression-handling vulnerability that is related to a heap-based buffer overflow, the attack can create a highly reliable memory information leak that allows the exploit to bypass the usually effective exploitation mitigations of address space layout randomization (ASLR) and data execution prevention (DEP) on Windows 7 and other versions.

More important, the technique looks like a common exploitation approach to Flash Player. The vulnerability actually doesn’t help much–just overwriting few bytes that are considered as a field of “element number” for a specific ActionScript object. These traits show that the exploitation technique is not limited to this particular Flash vulnerability; it may apply to other Flash or non-Flash vulnerabilities.

McAfee Labs has learned the full details of this exploitation technique, and plan to publish our analysis in the near future. Watch this space for updates.

At this moment, considering the dangerousness of the attack, we strongly recommend that all users update their Flash Players. The official patch is available here. Though the patch doesn’t kill all exploitation techniques, it will keep systems immune to the current exploits in the wild.

For McAfee customers, various protections are provided. We have released signature “0x402df600_HTTP_Adobe_Flash_Player_CFF_Heap_Overflow_Remote_Code_Execution” for the exploits related to CVE-2013-0633 and “0x402df700_HTTP_Adobe_Flash_Player_ActionScript_Buffer_Overflow_Remote_Code_Execution” for CVE-2013-0634 for the Network Security Platform appliances. Also, the generic buffer overflow prevention feature on our HIPS products will stop the related attacks.

 

Thanks to Bing Sun, Xiaobo Chen, and Chong Xu for their help with this analysis.