New Adobe Flash Player Zero-day Exploit Leads to PlugX
Attackers continuously leverage vulnerabilities in popular software like Microsoft Windows and Adobe products. Just recently, Adobe released an out-of-band update addressing three critical vulnerabilities in Flash Player. The said update APSB14-07 resolves the following issues in Flash Player:
- Stack-based buffer overflow vulnerability (CVE-2014-0498) allows attackers to execute arbitrary code via unspecified vectors.
- Out-of-bound read vulnerability (CVE-2014-0499) does not prevent access to address information, which in turn makes it easier for attackers to evade existing mitigation technology like Address Space Layout Randomization (ASLR). Successful exploitation results in information disclosure.
- Double free vulnerability (CVE-2014-0502) can be exploited to cause memory corruption. Once successfully exploited, it allows remote attackers to execute arbitrary code. Adobe confirms that this is a zero-day actively exploited in the wild. It is reported several websites being affected which redirected visitors to a malicious server containing a malicious Flash file. Based on our investigation, once users visit the compromised websites they will unknowingly download a malicious .SWF file detected by Trend Micro as SWF_EXPLOYT.LPE. This SWF exploit then downloads a PlugX variant detected as BKDR_PLUGX.NSC. PlugX is a remote access tool known for its stealth mechanism.
These are the affected platforms:
|Product||Updated version||Platform||Priority rating|
|Adobe Flash Player||220.127.116.11||Windows||1|
|18.104.22.168||Internet Explorer 10 for Windows 8.0||1|
|22.214.171.124||Internet Explorer 11 for Windows 8.1||1|
|126.96.36.199||Chrome for Windows and Linux||1|
Trend Micro Deep Security has released the following new deep packet inspection (DPI) rules to protect against exploits leveraging these vulnerabilities:
- 1005918 – Adobe Flash Player Stack-based Buffer Overflow Vulnerability (CVE-2014-0498)
- 1005919 – Adobe Flash Player Out Of Bound Read Vulnerability (CVE-2014-0499)
- 1005922 – Adobe Flash Player Remote Code Execution Vulnerability (CVE-2014-0502)
Aside from Deep Security solutions, our browser exploit prevention technology in Titanium 7 also protects from exploits targeting CVE-2014-0498 and CVE-2014-0502. As for CVE-2014-0499, we recommend you to update to the latest version.
Trend Micro blocks all related threats and URLs associated with this attack. We advise users to keep updating the latest version of installed software.
With additional analysis from Kai Yu.