Exploits targeting two previously unreported flaws in Flash Player prompted Adobe to release an emergency patch yesterday. One of the attacks is targeting aerospace and other manufacturing companies, and is being delivered via infected Microsoft Office documents. The other is being carried out over the Web targeting Firefox and Safari on Mac OS X.
Adobe recommends users immediately apply the security updates; the patches are for Adobe Flash Player 11.5.502 and earlier for Windows and Mac OS X; Flash 11.2.202.261 and earlier for Linux; Flash 11.1.115.36 and earlier for Android 4.x; and Flash 11.1.111.31 and earlier for Android 3.x and 2.x.
CVE-2013-0633 has been assigned to the Office-based attacks and covers a buffer overflow vulnerability that could lead to code execution. CVE-2013-0634 has been assigned to the Web-based attacks and addresses a memory-corruption vulnerability. Websites have been found hosting malicious .SWF files and the attacks target Firefox and Safari.
The targeted attacks are using spear phishing email messages to trick victims into opening Word file attachments that are carrying an embedded .SWF Flash Player file. Jamie Blasco, manager of AlienVault Labs said the email attachments purport to be either an IEEE Aerospace conference schedule guide, or a quick reference guide from ADP online payroll services.
The SWF files used in the exploit work only against certain versions of Flash and operating systems; they also reference a character in the video game Dishonored called Lady Boyle in the name of the action script embedded in the SWF file.
One sample, spotted by FireEye and AlienVault tries to connect to a command and control server that references IEEE and Boeing. It is signed with a phony digital certificate from South Korean gaming company MGAME used in other targeted attacks to spread the PlugX remote access Trojan, among other malware. FireEye researchers Josh Gomez, Thoufique Haq, and Yichong Lin said the executable renames itself and tries to masquerade as a Google update.
“It is worth mentioning that the executable file isn’t obfuscated at all,” Blasco said. “That means most of the security products should be able to detect this threat using generic signatures.”
FireEye said the Word files are written in English, but the codepages are done in Windows Simplified Chinese. They also said multiple exe files are dropped as well as a 64-bit DLL payload, one of which is signed with the phony cert. The researchers added that, in addition to adding itself to startup to maintain persistence on machines it infects, the malware also checks for security software processes avp.exe, ctray.exe, tray.exe and 360tray.exe.
The web-based attacks, meanwhile, are primarily drive-by downloads where attackers lure victims to a website hosting the malicious Flash file. Adobe said the attacks are limited to Firefox or Safari, and can also be delivered via Word document attachments. Adobe also credited Lockheed Martin, MITRE and the Shadowserver Foundation for reporting the exploit.
Adobe also made a separate announcement that an upcoming version of Flash Player will be able to determine whether a file is being launched within an Office version prior to 2010 which does not include the sandbox protection present in Office 2010. Users will be prompted with a warning and must choose whether to execute the file.
Therefore, if an end-user opens a document containing malicious Flash content, the malicious content will not immediately execute and impact the end-user. This extra step requires attackers to integrate a new level of social engineering that was previously not required,” said Peleus Uhley, Platform Security Strategist, with Adobe’s ASSET team. “We’ve seen these types of user interface changes lead to shifts in attacker behavior in the past and are hopeful this new capability will be successful in better protecting Flash Player users from attackers leveraging this particular attack vector as well.”