Adobe released an out-of-band update for two critical zero-day vulnerabilities just a few days in advance to its regular monthly patch cycle. The Buffer overflow vulnerability (CVE-2013-0633), which exists in Flash Player can lead to remote code execution or denial of service conditions when exploited. This vulnerability, which has been exploited in the wild, targets Windows systems via ActiveX version of Flash Player. These attacks have been intended to deceive users by embedding malicious Flash (.SWF) file in Microsoft Word documents.
Another vulnerability being exploited in the wild is the remote memory-corruption vulnerability covered in CVE-2013-0634. Once successfully exploited, it can lead to remote code execution or application crash. According to the Adobe advisory, these vulnerabilities are currently being exploited in the wild via sending crafted .SWF files as email attachments or by tricking the user to click a URL. Trend Micro detects these exploits as TROJ_MDROP.REF. When executed, this malware drops a backdoor detected as BKDR_PLUGAX.A. This backdoor, in turn, has the capability to gather information such as computer name, hostname, and OS version among others. It can also download and load plugins and send and receive information from a malicious website thus compromising the security of the system. Here’s the list of affected product versions:
- Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh
- Adobe Flash Player 22.214.171.1241 and earlier versions for Linux
- Adobe Flash Player 126.96.36.199 and earlier versions for Android 4.x
- Adobe Flash Player 188.8.131.52 and earlier versions for Android 3.x and 2.x
Just last month, we reported on the Java zero-day exploit employed by toolkits, Cool Exploit Kit (CEK) and Blackhole Exploit Kit (BHEK). Java released an update to address this zero-day exploit. Ironically, cybercriminals are quick to jump in and abused this opportunity to make a malware that poses as an update for Java.
Trend Micro Deep Security has released following new DPI rules to protect user systems against attacks using these zero-day exploits:
- 1005360 – Adobe Flash Player Remote Memory Corruption Vulnerability (CVE-2013-0634)
- 1005359 – Adobe Flash Player Heap Based Buffer Overflow Vulnerability (CVE-2013-0633)
It also advised to apply following existing smart DPI rules to protect against accessing any Microsoft Excel or Word Documents containing Flash (SWF) objects over Web:
- 1004647 – Restrict Microsoft Office File With Embedded SWF
- 1005158 – Restrict Microsoft Office Files With Embedded SWF – 2
Trend Micro Smart Protection Network™ also provides protection by detecting the malicious files.
Update as of 5:04 AM, Feb. 13 PST
TROJ_MDROP.REF it contains a malicious .SWF file (detected as SWF_EXPLOIT.MC) which executes a malicious DLL file (TROJ_DROPPER.YWO and TROJ64_DROPPER.YWO for 64-bit machines) to drop the final payload BKDR_PLUGAX.A. For more details about these malware, readers may refer to Trend Micro Threat Encyclopedia.