Blog Zscaler

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

S'abonner
Security Research

Adobe Flash “SWF” Exploit Still In The Wild.

image
THREATLABZ
novembre 10, 2011 - 2 Min de lecture

A vulnerability reported in Adobe Flash in April 2011 (CVE-2011-0611) continues to be targeted. When first reported, the vulnerability was widely exploited by embedding a “.swf” file into Microsoft Office documents/html pages. Adobe issued patch for this vulnerability soon after it was reported, but the vulnerability remains a popular target.

Source of hxxp://220.181.23.217/baike/mhxy.html :

Image

This exploit code embeds a “nb.swf” flash file into a webpage, which is then executed by the Adobe Flash player object initialized using classid “d27cdb6e-ae6d-11cf-96b8-444553540000”. When the page is being loaded, the malicious “nb.swf” file is downloaded from the URL “http://220.181.23.217/baike/nb.swf”.

Image

Execution of “nb.swf” leads to memory corruption in Flash Player, which allows execution of arbitrary shellcode, which is passed as an input parameter.

Shellcode:

Image

The Virustotal report for “nb.swf” shows it is a Trojan Downloader, used to deliver additional malware to the infected machine.

Image

 

Flash and other browser plugins remain a popular target for attackers, even for known vulnerabilities that have been patched for some time. This is because attackers know that plugins regularly remain unpatched for some time. The chart below details the most outdated browser plugins seen by Zscaler during Q3 2011. As can be seen, about 7% of all browsers that we see with Flash Player installed, are running an outdated and potentially vulnerable version of the software. Other plugins present are even more frightening targets.

Image

Be sure you update your plugins regularly!

Pradeep

form submtited
Merci d'avoir lu l'article

Cet article a-t-il été utile ?

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

En envoyant le formulaire, vous acceptez notre politique de confidentialité.