Bing Liu Fortinet
download slides (PDF)
In today's online world, Adobe Flash's ubiquity is hardly deniable. The reasons for this success are diverse and can be speculated upon, but one consequence is certain: Flash is becoming a major vector of infection to the eyes of cybercriminals.
And, while Flash zero-day vulnerabilities are revealed at a steady pace, even other exploits, for example browser-related ones, are starting to leverage Flash. Indeed, the following two abilities in the Flash Player are precious to the attackers:
Based on the emulator, we also developed a simple scanner. It is rule-based and can flag known exploits in a flash, as well as zero-days (in some cases), thanks to the Heapspray/JIT-Spray detector.
In this paper, we will discuss the techniques implemented in our emulator and scanner by dissecting two Flash samples. Limits and countermeasure will also be discussed.