Thursday, August 16, 2012

CVE-2012-1535: Flash 0-day In The Wild

Yesterday Adobe released APSB12-18, which addressed CVE-2012-1535. As noted in the Adobe bulletin, the vulnerability has been actively exploited in the wild, though primarily in targeted attacks wrapped in Microsoft Word documents.

The VRT was able to obtain a sample of one of the documents that has been circulating in the wild, and has created several new rules that detect it. While the vulnerability itself is complex - as are most Flash issues - there are several extremely obvious indicators of malicious intent in the file, including plaintext strings and several unencoded, unobfuscated characters commonly associated with heap spray techniques. Given that even compressing the Flash - which is trivial to do, and commonly found in the field - would have obscured these indicators, we're a bit puzzled as to why the actors behind these attacks chose not to do so, particularly since sending such an obviously malicious file presented them with the risk of having their 0-day attack discovered.

We've released several new rules today to detect this attack. SIDs 23853 and 23854 look for the underlying vulnerability, and 23856 and 23857 will detect the specific Flash files used in the document mentioned above. SIDs 23857 - 23862 look for different variants of the heap spray bytes used in this attack, that are common in other attacks in the field.

It's also worth noting that SIDs 18546 or 18549 (depending on the delivery mechanism - HTTP vs. SMTP, respectively), which look for Flash files embedded in Word documents, would have caught this attack prior to discovery by any party. While there are occasional legitimate uses for such documents, you may wish to consider enabling those rules in your particular environment - especially if you're willing to trade 0-day detection for the occasional false positive.
Add to Technorati Favorites Digg! This
Post a Comment