17 Jun 2011 08:30 PM
Earlier this week Adobe released security updates for several of their products and now the CVE-2011-2110 vulnerability in Flash Player is actively being used in drive-by and spear-phishing attacks. Websense customers are protected from this scam by ACE, our Advanced Classification Engine.
The vulnerability is triggered when a website is viewed in a browser that has the Adobe Flash Player plugin installed by a simple command that loads a malicious SWF file, as can be seen in this sample code as seen by the Websense ThreatSeeker® Network:
We are still analyzing the vulnerability and how the exploit works but here's what we know. The exploit samples we've seen so far use heap information leakage, so that it doesn't have to spray the heap. Once the vulnerability is triggered, the transfer of execution from legitimate code to malicious code takes place when the stack pointer is replaced with EAX.
Once the stack has been compromised, it carries out the ROP portion of the attack to allocate an executable memory page for the second stage of the shellcode.
Once the shellcode has executed, it will try to download an encrypted binary file that's decrypted by an embedded ActionScript. The decrypted file is saved in the %TEMP% folder on the computer and then executed. Here's a VirusTotal link to one binary we saw used by one of the exploit files, but each exploit downloads a different file from a different server.
We also found an interesting debug string in one of the SWF files we looked at, which is a greeting to Rising, a Chinese antivirus company.
Below is a list of URLs where we've seen the exploit being hosted.
As always, it's crucial that you install the latest version of Adobe Flash Player as soon as possible if you haven't done so already. The vulnerable versions are any version older than 10.3.181.26. If you're unsure which version of Adobe Flash Player you have installed, you can find out by going to this link hosted at Adobe.
Our friends over at Shadowserver has posted some information about this vulnerability on their blog.
(Technical analysis done by Victor Chin)