Last November 25, Adobe issued an out-of-band patch for the CVE-2014-8439 vulnerability, which impacts Adobe Flash Player versions on Windows, Mac OS, and Linux. Adobe’s advisory describes this vulnerability as a “de-referenced memory pointer that could lead to code execution.”
Despite efforts by Adobe to quickly patch their software vulnerabilities, we noticed that exploit kit authors seem to be one step ahead. This is very dangerous to ordinary home users who rarely patch their software, let alone Adobe Flash Player, which users may configure for updates every seven days to 60 days, maximum. This gives the cybercriminals more than enough time to exploit the vulnerabilities they find in the software in order to reach their targeted users.
As we’ve continuously mentioned in our blog, attackers are always looking for the weakest part in any software. However, Adobe Flash seems to be the ripest target for cybercriminals after moving their attention away from Java, which issued a security warning popup whenever any Java applet is executed from the browser. Attackers are also attacking Internet Explorer (IE), but after the browser introduced isolated-heap and delay-free against user after free (UAF) exploits, Adobe Flash is left as the ‘weakest’ application to exploit.
Exploitation by Various Exploit Kits: An Analysis of CVE-2014-8439
According to other security researchers, this vulnerability has already been previously exploited by popular exploit kits, such as Angler, Nuclear, and Astrum.
We checked the sample used in Nuclear exploit kit and found out that it has a different exploitation method from CVE-2014-0515, another critical Adobe Flash Player vulnerability that was found in April this year.
We consider this a new exploit for two reason. First, the exploit is successful in Flash versions released before October 14 this year. This exploit may also lead to the disruption or crashing of Flash versions prior to the November 25 update.
The more compelling reason lies in the method of exploitation. As mentioned earlier, Adobe Flash has become a prime target after improvements made to Java and Internet Explorer, and exploit kit authors are quite familiar with the structure and logic of the application. It would only make sense that they use a method that would be considered “stable.” Instead, we found that the attackers used an old and unstable method to exploit CVE-2014-8439. We are curious why the author used this method instead of the stable method.
The flow used in this exploit can be seen below:
Figure 1. The main flow of the exploit for CVE-2014-8439
The usage of vector .<int> above is similar to CVE-2014-0515, which is used to read/write any memory address. But after that, it goes totally different way. In CVE-2014-0515, a function in Adobe Flash Player is used to call function VirtualAlloc()&VirtualProtect(), which is a stable way to bypass DEP. But in this CVE, it still uses complex return-oriented programming (ROP) to do that.
Figure 2. ROP used in CVE-2014-8439
Interestingly, the binary used in CVE-2014-0515 is still kept in CVE-2014-8439. However, we cannot find where it is used. Did the author forget to remove it? That might explain why some vendors detect this specific binary as CVE-2014-0515, and not CVE-2014-8439.
Figure 3. A binary in CVE-2014-8439, same as CVE-2014-0515
Trend Micro Solutions for CVE-2014-8439
It would be ideal to detect this newest exploit through the same signature, but we don’t want to rely on luck. Our products have a script analyzer module, which uses dynamic emulation to de-obfuscate the script and analyze script’s behaviors. The behavior rule “SWF.Dynamic.HeapSpray.A” created in June this year can detect this new exploit on new vulnerabilities. The same rule also can detect another recent exploits CVE-2014-0569 and CVE-2014-8440. The rule is targeting on the following method to read/write any memory, which is frequently used in Flash exploits.
Figure 4. Detection point in our script analyzer module
Script Dynamic Emulation as an Effective Tool against Targeted Attacks
Script-based exploits are widely used in targeted attacks. Because scripts can easily be obfuscated, static signature-based solutions proves ineffective in detecting new variants. Heuristic analysis is helpful as it acts as a fast filter before sandboxing. Sandboxing makes the final decision and controls the false-positive rate based on behavioral analysis.
All sandboxes have behavioral analysis of payload on an operating system, but a good sandbox should also include behavior analysis of exploit (script) in exploitable application. This is because it’s hard to trigger an exploit with stability, especially in a limited specific VM environment in a sandbox. Sandbox detections will fail because of unsuccessful exploits or unsuccessful payload downloading.
In such a situation, studying the behavior of an exploit helps. By dynamic emulation, we can simulate the execution of a script in a controllable environment to study its behavior. These behaviors may include heap spray techniques, ROP, or function call with specific parameter for specific CVE, and any other anomaly usage.
Of course, script dynamic emulation has its limitations, and attackers will also try their best to evade these techniques. In-depth defense is necessary for defending against targeted attacks, coupled with heuristic scanning, monitoring system behavior monitor, dynamic emulation to give users the best protection.
Though the fixing comes after the actual exploit, Adobe released an update last October 14 which can prevent the exploit from taking place. Users with Flash Player version above 15.0.189/13.0.250/188.8.131.521 are protected from these exploits. However, since the root-cause of this bug was only fixed in the latest update, we still recommend users to upgrade Adobe Flash Player as soon as possible to avoid being infected by other exploit variants.
For Trend Micro users, Titanium and OfficeScan are equipped with the script analyzer module mentioned above, which has effective detection on exploit kit. And the detection can automatically expend to URL and binary signature to share among Trend Micro users via the Trend Micro™ Smart Protection Network™. For enterprise users, we recommend Trend Micro ™ Deep Discovery™ to protect organization from unknown exploits and possible targeted attacks.
Additional insights and analyses by Michael Du, Peter Pi and Moony Li.
Below are the hashes related to this analysis:
- 80B632B139F11CAC5E832092BF173C2B11D80E3E, SWF_EXPLOYT.LDCE
- 34567961ad0326e63a8968e2b7f108d940ff6b80, TROJ_WALEDAC.WJG
Update as of November 29, 2014, 2:51 A.M. (PST)
- The blog entry has been edited to further explain the classification of the new exploit.