Concerned about VPN vulnerabilities? Learn how you can benefit from our VPN migration offer including 60 days free service.

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Adobe Flash “SWF” Exploit Still In The Wild.

image
THREATLABZ
November 10, 2011 - 2 min read

A vulnerability reported in Adobe Flash in April 2011 (CVE-2011-0611) continues to be targeted. When first reported, the vulnerability was widely exploited by embedding a “.swf” file into Microsoft Office documents/html pages. Adobe issued patch for this vulnerability soon after it was reported, but the vulnerability remains a popular target.

Source of hxxp://220.181.23.217/baike/mhxy.html :

Image

This exploit code embeds a “nb.swf” flash file into a webpage, which is then executed by the Adobe Flash player object initialized using classid “d27cdb6e-ae6d-11cf-96b8-444553540000”. When the page is being loaded, the malicious “nb.swf” file is downloaded from the URL “http://220.181.23.217/baike/nb.swf”.

Image

Execution of “nb.swf” leads to memory corruption in Flash Player, which allows execution of arbitrary shellcode, which is passed as an input parameter.

Shellcode:

Image

The Virustotal report for “nb.swf” shows it is a Trojan Downloader, used to deliver additional malware to the infected machine.

Image

 

Flash and other browser plugins remain a popular target for attackers, even for known vulnerabilities that have been patched for some time. This is because attackers know that plugins regularly remain unpatched for some time. The chart below details the most outdated browser plugins seen by Zscaler during Q3 2011. As can be seen, about 7% of all browsers that we see with Flash Player installed, are running an outdated and potentially vulnerable version of the software. Other plugins present are even more frightening targets.

Image

Be sure you update your plugins regularly!

Pradeep

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.