New Zero-Day Attack Copies Earlier Flash Exploitation

By on

Late on July 10, Microsoft released a blog post disclosing that they were aware of a zero-day attack in the wild. This attack exploits a previously unpatched Internet Explorer vulnerability (CVE-2013-3163). It’s interesting that the vulnerability was just patched in this month’s Patch Tuesday (July 9), which is perhaps only a coincidence. Although we do not know how long ago the attack began, we do have the official solution right now. (Apply the Microsoft patch if you haven’t done so.)

McAfee Labs rapidly responded to the threat. While digging into the exploitation process, we realized that this attack leverages the same exploitation technology that we were first to identify in an Adobe Flash zero-day attack in February. We call the new exploitation technology the Flash Vector exploitation. As highlighted in our blog post from February, we made a fairly accurate prediction:

More important, the technique looks like a common exploitation approach to Flash Player. The vulnerability actually doesn’t help much–just overwriting few bytes that are considered as a field of “element number” for a specific ActionScript object. These traits show that the exploitation technique is not limited to this particular Flash vulnerability; it may apply to other Flash or non-Flash vulnerabilities.

Both of these attacks leverage a weakness inside Flash Player’s custom heap management, especially, for the heap management of ActionScript “Vector.<>” objects. During our analysis, we also found some minor differences between these two attacks:

  • Because the trigger of the previous attack is a Flash vulnerability, the exploitation contains a step that frees the heap block (“leaving the hole”). In the second case, this step is not necessary because the trigger is an IE vulnerability. IE and Flash use different heap managements; thus IE can overwrite the memory bytes managed by Flash.
  • In the earlier exploitation, the zero day leveraged the “Vector.<Number>()” object and corrupted its length field. In the current case, the exploit leverages the “Vector.<uint>()” object (corrupting its length field as well). For example, the following code sprays a lot of “Vector.<uint>()” objects in the memory:

vector_spraying1

McAfee Labs has released a couple of UDS signatures to protect customers of our Network Security Platform against the IE vulnerability as well as the exploitation. Signature “UDS-HTTP: Microsoft Internet Explorer CBlockElement bdo element tag Use After Free Vulnerability I” addresses the vulnerability, and “UDS-HTTP: Microsoft Internet Explorer CVE-2013-3163 Flash Exploitation” handles the exploitation. Also, the generic buffer overflow prevention feature on our HIPS products will stop the related attacks.

The author would like to thank Bing Sun, Chong Xu, and Xiaoning Li for their help with the analysis.

Leave a Comment

Similar articles

As ransomware threats become more sophisticated, the tactics cybercriminals use to coerce payments from users become more targeted as well. And now, a stealthy strain is using deceptive techniques to mask its malicious identity. Meet CryptoMix ransomware, a strain that disguises itself as a children’s charity in order to trick users into thinking they’re making ...
Read Blog
Think about it: In the course of your everyday activities — like grocery shopping or riding public transportation — the human body comes in contact with an infinite number of germs. In much the same way, as we go about our digital routines — like shopping, browsing, or watching videos — our devices can also pick ...
Read Blog