February 26, 2014 at 12:46Flash Player Vulnerability Used for Targeted Attacks
At the end of last week, Adobe closed the vulnerability in Flash Player CVE-2014-0502 through the update APSB14-07 . According to FireEye, several public and large private websites were compromised by a malicious iframe and redirected visitors to a web page with an exploit for the 0day vulnerability. The exploit takes advantage of legacy libraries compiled without ASLR support to create stable and portable ROP chains to bypass DEP. In the case of Windows XP, ROP gadgets are generated using msvcrt.dll. In the case of Windows 7, the hxds.dll library is used, which is included with Microsoft Office 2007 & 2010 (see MS13-106“Security Feature Bypass”), as well as out-of-date Java 1.6 & 1.7 with msvcr71.dll. For more information on the operation of these DLLs, see the table .
After successful operation, the malicious .swf loads the PlugX RAT remote access tool (ESET: Win32 / Korplug.BX , Microsoft: Backdoor: Win32 / Plugx.H ) into the user's system . The exploit itself is detected by ESET as SWF / Exploit.CVE-2014-0502.A (Microsoft: Exploit: SWF / CVE-2014-0502.A , Symantec: Trojan.Swifi ). Browsers such as Internet Explorer (10 & 11 on Windows 8 / 8.1 through Windows Update) and Google Chrome have updated their versions of Flash Player automatically. For IE, see the updated Security Advisory 2755801. Check your version of Flash Player for relevance here , the table below shows these versions for various browsers.
The exploit does not contain features to bypass sandbox mechanisms in IE or Chrome. Our usual recommendations in this case:
be secure.
After successful operation, the malicious .swf loads the PlugX RAT remote access tool (ESET: Win32 / Korplug.BX , Microsoft: Backdoor: Win32 / Plugx.H ) into the user's system . The exploit itself is detected by ESET as SWF / Exploit.CVE-2014-0502.A (Microsoft: Exploit: SWF / CVE-2014-0502.A , Symantec: Trojan.Swifi ). Browsers such as Internet Explorer (10 & 11 on Windows 8 / 8.1 through Windows Update) and Google Chrome have updated their versions of Flash Player automatically. For IE, see the updated Security Advisory 2755801. Check your version of Flash Player for relevance here , the table below shows these versions for various browsers.
The exploit does not contain features to bypass sandbox mechanisms in IE or Chrome. Our usual recommendations in this case:
- Use browsers that support sandboxing.
- Update your & OC regularly.
- Use EMET or security products with the ability to block and timely detect exploit actions. Yesterday Microsoft released the 5th version of EMET v5 Technical Preview, which can be downloaded here .
be secure.