Blog Details

Posted in: Blog, Posted On: Feb 27, 2014,Posted By: cyberinfoadmin

Adobe releases another Emergency Security Patch for Flash Player

Security Firm FireEye has uncovered yet another critical zero-day vulnerability in widely used Adobe Flash software and Adobe has been forced to issue a second emergency patch update in less than a month.

All versions of Adobe Flash Player released before today’s patch are vulnerable to the zero-day exploit and the patch addresses a critical vulnerability CVE-2014-0502, being used in a watering-hole attack, dubbed “Operation Greedywonk”, that allows attackers to remotely take control of infected systems.

The vulnerability that affects the latest versions of Flash is reported to be targeting the websites of three non-profit institutions, being redirected to a malicious server hosting the zero-day exploit.

Visitors to the Peter G.Peterson Institute for International Economics (www.piie[.]com) were redirected to an exploit server hosting this Flash zero-day through a hidden iframe.” FireEye said.


Security updates tackle a number of flaws including:
  • CVE-2014-0498 stack overflow vulnerability, if exploited, can execute arbitrary code
  • CVE-2014-0499 memory leak vulnerability, if exploited, defeat memory address layout randomization
  • CVE-2014-0502 double free vulnerability, if exploited, could result in arbitrary code execution

Reports confirmed that exploit for CVE-2014-0502 exists in the wild, that allows an attacker to bypass ‘Address Space Layout Randomization (ASLR)‘ protections on Windows XP, Windows 7 with Java version 1.6 or outdated office 2007 or 2010 to execute the malicious code.

Anatomy of the attack: Antivirus firmSymantec‘ explained:

This attack technique is known as a watering-hole attack. In this case, the target visits a compromised website that contains an IFrame inserted by the attackers in order to redirect the target to another website (giftserv.hopto.org). This new site loads a malicious index.php file (Trojan.Malscript) which checks whether the victim is running a 32-bit or 64-bit system. Depending on the results, a malicious index.html file (also Trojan.Malscript) and additional components are also downloaded from either the 32-bit or 64-bit folders hosted on the attacker’s server. The malicious index.html file then loads the cc.swf Adobe Flash file (Trojan.Swifi) containing the zero-day. Once exploited, a logo.gif image file is downloaded containing encrypted shellcode which downloads and executes the malicious server.exe (Backdoor.Jolob) payload.

A very successful watering hole attack in early 2013 targeted mobile app developers and infected the internal networks of Apple, Facebook, Microsoft and Twitter, among other companies.

Fortunately, only certain computers are vulnerable to those further exploits: all Windows XP machines, and Windows 7 machines that have Java 1.6 or Microsoft Office 2007 or 2010 installed. “Users can mitigate the threat by upgrading from Windows XP and updating Java and Office,” FireEye researchers said.

To Determine which version of Flash you are running, you can visit Adobe’s website here. Users are recommended to update their Adobe Flash layer to address this critical vulnerability. You should download it from the Adobe Flash Player Download Centre.