The Inquirer-Home

Microsoft spots patched Adobe Flash Player vulnerability

Update now if you're running version 12.0.0.43 or earlier
Tue Feb 18 2014, 12:35
Adobe Flash Player logo

SOFTWARE GIANT Microsoft's Trustworthy Computing (TWC) unit has discovered a security vulnerability in a recently patched version of Adobe Flash Player that is being exploited in the wild.

Blogging about the exploit named CVE-2014-0497 at its Malware Protection Centre, Microsoft TWC security expert Chun Feng said the bug is very similar to that found last week and called CVE-2013-5330, and that the earlier vulnerability was addressed with a patch released by Adobe on 4 February.

"Flash Player versions 12.0.0.43 and earlier are vulnerable," Feng said. "We analysed how these attacks work and found the following details. The malicious file has been distributed as a .swf file, which contains: The vulnerability trigger, Shellcode, a PE file (encrypted)."

Feng said that the .swf file can be hosted on a web server and run when the webpage is visited, and when the .swf is loaded, the vulnerability is triggered.

"The .swf successfully bypasses the validation of memory range and is able to access an arbitrary location. It overwrites a pointer in a VTABLE to successfully pass control to a controlled location," fend explained.

"The controlled location starts with stack pivot ROP gadgets built from a Flash Player DLL. The ROP gadgets call VirtualProtect() to make the shellcode memory region executable. Finally, the control is passed to the shellcode via a jmp esp instruction."

TWC said that the exploit works across multiple Flash Player versions and in its testing, it was able to reproduce the attack in Adobe Flash Player versions 11.6.602.171, 11.6.602.180, 11.7.700.169, 11.7.700.202, 11.7.700.224, 11.8.800.94, 11.8.800.168, 11.8.800.175, 11.9.900.117, 11.9.900.152 and 11.9.900.170.

Versions 12.0.0.43 and earlier are known to contain the vulnerability used by the attack, but 12.0.0.43 also includes a mitigation that prevents building the ROP gadget from the Flash Player DLL. "The sample we analysed does not support version 12.x for this reason," Feng added.

Microsoft TWC recommended that if you're using Flash Player version 12.0.0.43 or earlier, you should update Flash Player now to be protected against these attacks. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Masque malware is putting iPad and iPhone user data at risk

Has news of iOS malware made you reconsider getting an iPhone?