SOFTWARE GIANT Microsoft's Trustworthy Computing (TWC) unit has discovered a security vulnerability in a recently patched version of Adobe Flash Player that is being exploited in the wild.
Blogging about the exploit named CVE-2014-0497 at its Malware Protection Centre, Microsoft TWC security expert Chun Feng said the bug is very similar to that found last week and called CVE-2013-5330, and that the earlier vulnerability was addressed with a patch released by Adobe on 4 February.
"Flash Player versions 220.127.116.11 and earlier are vulnerable," Feng said. "We analysed how these attacks work and found the following details. The malicious file has been distributed as a .swf file, which contains: The vulnerability trigger, Shellcode, a PE file (encrypted)."
Feng said that the .swf file can be hosted on a web server and run when the webpage is visited, and when the .swf is loaded, the vulnerability is triggered.
"The .swf successfully bypasses the validation of memory range and is able to access an arbitrary location. It overwrites a pointer in a VTABLE to successfully pass control to a controlled location," fend explained.
"The controlled location starts with stack pivot ROP gadgets built from a Flash Player DLL. The ROP gadgets call VirtualProtect() to make the shellcode memory region executable. Finally, the control is passed to the shellcode via a jmp esp instruction."
TWC said that the exploit works across multiple Flash Player versions and in its testing, it was able to reproduce the attack in Adobe Flash Player versions 11.6.602.171, 11.6.602.180, 11.7.700.169, 11.7.700.202, 11.7.700.224, 11.8.800.94, 11.8.800.168, 11.8.800.175, 11.9.900.117, 11.9.900.152 and 11.9.900.170.
Versions 18.104.22.168 and earlier are known to contain the vulnerability used by the attack, but 22.214.171.124 also includes a mitigation that prevents building the ROP gadget from the Flash Player DLL. "The sample we analysed does not support version 12.x for this reason," Feng added.
Microsoft TWC recommended that if you're using Flash Player version 126.96.36.199 or earlier, you should update Flash Player now to be protected against these attacks. µ
Sign up for INQbot – a weekly roundup of the best from the INQ