14 DAY TRIAL // Adobe has released version 13.0.0.206 of Flash Player for Windows and Mac and 11.2.202.356 for Linux. The latest variants address a zero-day vulnerability that has been leveraged in watering hole attacks apparently targeted at Syrian dissidents.
In its advisory, Adobe says that the security hole can be exploited to take control of affected systems. The company is aware that an exploit for the vulnerability exists in the wild.
CVE-2014-0515, which impacts the Pixel Bender component in Flash Player, has been reported to Adobe by Kaspersky Labs researcher Alexander Polyakov. Vyacheslav Zakorzhevsky, another Kaspersky expert, revealed in a blog post published on Monday that the company detected two new SWF exploits sometime in mid-April.
After a few days, Adobe confirmed that the exploits leveraged a zero-day vulnerability. Cybercriminals placed the two exploits on a compromised website as unpacked flash video files called movie.swf and include.swf.
Both exploits contain Action Script code that’s not obfuscated or encrypted. Each of them has two shellcodes. One of the shellcodes is the same in both applications and it’s designed to prepare the memory for the second shellcode.
The shellcode in movie.swf searches for system libraries in the memory, after which it downloads and executes the payload. The shellcode in include.swf is “unusual,” and it only works if Flash Player Active X and the Cisco MeetingPlace Express (MPE) add-in are present on the targeted system.
Researchers believe that the Cisco component could be used to download the payload and to spy on the infected device.
So where have these exploits been found? Kaspersky has spotted them on a website launched in 2011 by the Syrian Ministry of Justice (jpic.gov.sy). The site is for Syrian citizens who want to complain about law and order violations, which indicates that the attack is aimed at dissidents who complain about the government.
Experts note that a hacker using the online moniker “oliver tucket” announced hacking this and other Syrian government websites back in September 2013.
A total of 30 infections were detected by Kaspersky on the computers of seven Syrian users. All of them accessed the website from various Firefox variants.
“It's likely that the attack was carefully planned and that professionals of a pretty high caliber were behind it. The use of professionally written 0-day exploits that were used to infect a single resource testifies to this,” Zakorzhevsky explained.
Zakorzhevsky also highlights that there’s an advantage in using a vulnerability in Pixel Bender, a component that’s no longer supported by Adobe. The attackers were most likely hoping that a security hole in such a component would not be found too soon, enabling them to rely on the exploit for a longer period.
You can download Flash Player for Windows, Mac and Linux from Softpedia.