VB2014 paper: Ubiquitous Flash, ubiquitous exploits and ubiquitous mitigation

Posted by   Virus Bulletin on   Jan 30, 2015

Chun Feng and Elia Florio analyse two Flash Player vulnerabilities and an IE one where Flash provides a helping hand.

Since the close of the VB2014 conference in Seattle in October, we have been sharing VB2014 conference papers as well as video recordings of the presentations. Today, we have added 'Ubiquitous Flash, ubiquitous exploits and ubiquitous mitigation' by Microsoft researchers Chun Feng and Elia Florio.

Last week's news about a zero-day vulnerability in Adobe's Flash Player being used in the Angler exploit kit once again highlighted how Flash Player vulnerabilities affect almost every user of the Internet.

CVE-2015-0311 (which has since been patched; Trend Micro's Peter Pi wrote a thorough analysis here) wasn't the first serious Flash Player vulnerability, and it won't be the last.

In their VB2014 paper, Chun Feng and Elia Florio look at two earlier vulnerabilities: CVE-2013-5330 and CVE-2014-0497, with the latter being a consequence of the initial fix for the former not being perfect. Both vulnerabilities are caused by flaws in Flash Player's implementation of domain memory opcode and allow an attacker to craft an SWF file that can read/write to an arbitrary memory location.

The authors also look at a third vulnerability, CVE-2014-0322, which affects Internet Explorer but which is exploited with Flash Player used as a 'helper'. This is possible because IE and the Flash Player plug-in share the same address space.

Finally, the paper discusses mitigation techniques Adobe and Microsoft have added against similar exploits.

You can read the paper here in HTML-format, or download it here as a PDF (no registration or subscription required).

Posted on 30 January 2015 by Martijn Grooten

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

What kind of people attend Virus Bulletin conferences?

If you are considering submitting a proposal for a talk to VB2018 and you're not familiar with the event, you may find it useful to know what kind of people attend the conference.

Olympic Games target of malware, again

An unattributed malware attack has disrupted some computer systems of the 2018 Winter Olympics. In 1994, a computer virus also targeted the Winter Olympics.

There are lessons to be learned from government websites serving cryptocurrency miners

Thousands of websites, including many sites of government organisations in the UK, the US and Sweden, were recently found to have been serving a cryptocurrency miner. More interesting than the incident itself, though, are the lessons that can be…

We need to continue the debate on the ethics and perils of publishing security research

An article by security researcher Collin Anderson reopens the debate on whether publishing threat analyses is always in the public interest.

WordPress users urged to manually update to fix bug that prevents automatic updating

Users of the popular WordPress content management system are urged to manually update their installation to version 4.9.4, as a bug in the previous version broke the ability to automatically install updates.