Flash Vulnerability Problems No Flash in the Pan [CVE-2016-4117]

Posted by Michael Gorelik on May 20, 2016 3:25:23 PM
Michael Gorelik
Find me on:

blog_750x400.jpg

Yet another critical Flash vulnerability was uncovered this month, thanks to researchers at FireEye. The vulnerability, CVE-2016-4117, exists in Flash 21.0.0.226 and earlier versions for Windows, Mac, Linux, and Chrome OS. It received a CVSS v3 rating of 9.8, indicating extremely critical (Adobe rushed out a patch earlier this week).

Attackers embedded the exploit in a Microsoft Office document, which they hosted on a DDNS server. When the target opens the document, for example via a phishing email attachment or a malicious URL, the exploit is triggered and the payload downloaded. In a clever twist, an innocent decoy document is then displayed.

The payload executes malware which connects to a second C2 (command and control) server, effectively giving the attacker control of the target’s system. The zero day discovered by FireEye specifically targeted newer Flash versions by including an abort feature if it detected a version older than 21.0.0.196.   

Trend Micro points out that this vulnerability shares many similarities with the Flash CVE-2015-7645 vulnerability used in 2015 by Pawn Storm. Both are type confusion risk vulnerabilities with similar disassembled code. This suggests that the same vulnerable code may have been reused elsewhere, resulting in additional, as yet unknown, vulnerabilities.

Of course Morphisec users have nothing to worry about. Morphisec blocks the exploit immediately upon opening the Microsoft document; it never even connects with the remote server. Morphisec Chief Investigator Michael Gorelik shows how it works in this attack video:

 

 

Credit goes to @PhysicalDrive0  for informing us of the new sample we demonstrate in the video. According to VirusTotal only 2 solutions identified it during the first 2 hours:

virustotal-2016-05-17.jpg

 New Call-to-action

Topics: Cyber Attacks, APT, Attack Analysis

Welcome to our Blog

Keeping you in the loop with company updates, industry insight, cyber security trends, and cyber attack information.

Subscribe to the blog

Morphisec Named a Cool Vendor 2016

Morphisec is a Gartner Cool Vendor 2016

Each year Gartner identifies new Cool Vendors it considers innovative or transformative. Morphisec is honored be to named a Cool Vendor 2016. Here's more....