Targeted Attack Uses Recent Adobe Flash Player Vulnerability (CVE-2012-0779)
Reports of a targeted attack surfaced recently. One such attack arrives as an email message that trick users into executing a malicious attachment. The malicious attachment, as expected, is a file that exploits CVE-2012-0779, found in several versions of Adobe Flash Player. Exploitation results to a possible attacker taking over the infected system.
We came across a .DOC file that spoofs a professional organization. When executed, the attachment file detected as TROJ_SCRIPBRID.A, connects to a URL to access the .SWF files that exploit this Flash Player vulnerability and drops a backdoor unto the system. Trend Micro detects the .SWF files as SWF_LOADER.EHL while the backdoor is detected as BKDR_INJECT.EVL. The said backdoor connects to its command-and-control (C&C) server to receive commands from a remote user.
The vulnerability stated in CVE-2012-0779 is found on specific versions of Adobe Flash Player that run on Windows, Macintosh, Linux and even Android OS. Described by Adobe as an object confusion vulnerability, successfully exploiting this software bug may lead to application crash. It also permits a possible attacker to take control the infected system.
To address this, Adobe recommends users to update their Adobe Flash Player to the latest version. Trend Micro Deep Security users must apply the rule 1004995 – Oracle Database TNS Listener Poison Attack Vulnerability to effectively prevent attacks. More about this vulnerability and the corresponding solution may be found in Adobe’s security bulletin page.
Flashback Variant Exploits CVE-2012-0507
The other notable vulnerability we’ve reported since last month is CVE-2012-0507, which was actively used in the Flashback attacks that plagued Mac users. In particular, OSX_FLASHBCK.AB was found to exploit this vulnerability that allows arbitrary code execution by a remote attacker.
Further investigation by my colleague Sumit Soni reveals that CVE-2012-0507 is vulnerability in Java Runtime Enviroment (JRE) that stems from the Java Security Sandbox component Byte-code verifier. This component guarantees the type safety imposed by the language semantics, which prevents an untrusted code to access memory it should not access, so that all the resource accesses is requested by the code itself.
To be more specific, this is a type safety vulnerability in AtomicReferenceArray class implementation. AtomicReferenceArray ensures that the array couldn’t be updated simultaneously by different threads. However, it does not properly check if the array is of an expected Object type. A malicious Java application or applet then could use this flaw to cause the Java Virtual Machine (JVM) to crash or bypass the Java sandbox restrictions. An attacker may manually construct a serialized object graph and insert any array into an AtomicReferenceArray instance and then use the AtomicReferenceArray.set() method to write an arbitrary reference to violate type safety.
Exploiting this vulnerability allows a Java applet to bypass JVM sandbox restrictions and achieve execution with full privileges.This can be easily exploitable because it is a logical flaw in the code supplied with vulnerable JRE. This vulnerability affects a wide range of web browsers and platform including Windows, Linux, OSX, Solaris.
Trend Micro protects users from this threat via the Trend Micro™ Smart Network Protection™, which detects and deletes the related malware. Trend Micro Deep Security also protects users via rule 1004955 – Oracle Java SE Remote Java Runtime Environment Vulnerability (CVE-2012-0507).
Update as of May 11, 2012, 7:55 AM PST
Rule 1005019 – Restrict Microsoft Office File With Linked SWF has been issued to protect against attacks using the vulnerability CVE-2012-0779.