David Baxter PhD
Late Founder
Attackers Exploiting Critical Flash Bug Via Drive-By Download
by Dennis Fisher, Threatpost
June 20, 2011
Attackers have begun actively exploiting the critical Adobe Flash vulnerability that Adobe patched last week, using rigged Web pages and phishing techniques to compromise vulnerable machines. The attack code is being hosted on a number of sites around the Web right now, researchers said.
Adobe warned last week when it released a patch for the bug that the vulnerability in Flash can be used for remote code execution, and that's being proven out right now. Researchers at Websense have found a number of sites that are rigged with malicious code designed to exploit the Flash vulnerability and the exploit itself is using some rather advanced techniques in order to compromise users' machines.
The attack begins as most drive-by download attacks do, with a user visiting a malicious site with a browser running a vulnerable version of Flash. The site loads a malicious Flash file, which contains the exploit for the Flash bug and begins the exploitation chain. From there, the interesting parts kick in.
"The exploit samples we've seen so far use heap information leakage, so that it doesn't have to spray the heap. This is a more advanced exploit technique than we usually see but it makes the exploit more stable and won't crash the process, which can easily happen when a heap spray is used," Websense's Patrik Runald said in a blog post on the attack.
"Once the vulnerability is triggered, the transfer of execution from legitimate code to malicious code takes place when the stack pointer is replaced with EAX."
After the attack succeeds in compromising the machine's stack, it then uses return-oriented programming (ROP) techniques in order to find a spot to execute the shellcode. That code then downloads an encrypted binary from a remote server that's decrypted on the user's machine and stored. At that point, it's game over for the user.
Attacks on Flash vulnerabilities via drive-by download have been a favored technique for hackers for some time now, and it seems that the time frame in which they're beginning to exploit new bugs is being compressed. More and more attacks are popping up within days of the discovery or public disclosure of a new Flash bug, so installing the patches for these vulnerabilities is becoming ever more important.
by Dennis Fisher, Threatpost
June 20, 2011
Attackers have begun actively exploiting the critical Adobe Flash vulnerability that Adobe patched last week, using rigged Web pages and phishing techniques to compromise vulnerable machines. The attack code is being hosted on a number of sites around the Web right now, researchers said.
Adobe warned last week when it released a patch for the bug that the vulnerability in Flash can be used for remote code execution, and that's being proven out right now. Researchers at Websense have found a number of sites that are rigged with malicious code designed to exploit the Flash vulnerability and the exploit itself is using some rather advanced techniques in order to compromise users' machines.
The attack begins as most drive-by download attacks do, with a user visiting a malicious site with a browser running a vulnerable version of Flash. The site loads a malicious Flash file, which contains the exploit for the Flash bug and begins the exploitation chain. From there, the interesting parts kick in.
"The exploit samples we've seen so far use heap information leakage, so that it doesn't have to spray the heap. This is a more advanced exploit technique than we usually see but it makes the exploit more stable and won't crash the process, which can easily happen when a heap spray is used," Websense's Patrik Runald said in a blog post on the attack.
"Once the vulnerability is triggered, the transfer of execution from legitimate code to malicious code takes place when the stack pointer is replaced with EAX."
After the attack succeeds in compromising the machine's stack, it then uses return-oriented programming (ROP) techniques in order to find a spot to execute the shellcode. That code then downloads an encrypted binary from a remote server that's decrypted on the user's machine and stored. At that point, it's game over for the user.
Attacks on Flash vulnerabilities via drive-by download have been a favored technique for hackers for some time now, and it seems that the time frame in which they're beginning to exploit new bugs is being compressed. More and more attacks are popping up within days of the discovery or public disclosure of a new Flash bug, so installing the patches for these vulnerabilities is becoming ever more important.
