Kaspersky Lab discovered and blocked zero-day vulnerability in Adobe Flash Player
New Delhi, India, April 30, 2014: Kaspersky Lab’s heuristic detection protection subsystem has successfully blocked attacks via a zero-day vulnerability in Adobe Flash software. Kaspersky Lab researchers discovered this loophole, which was targeted by exploits distributed via a legitimate government website created to collect public complaints about breaches of the law in the Middle Eastern country.
In mid-April Kaspersky Lab experts analyzing data from Kaspersky Security Network, discovered a previously unknown exploit. On closer examination it turned out that the exploit was using a previously unknown vulnerability in the popular multimedia software Adobe Flash Player. The vulnerability exists in Pixel Bender – an old component, designed for video and photo processing.
Further investigation found that exploits were distributed from a website created in 2011 by the Syrian Ministry of Justice to enable people to lodge complaints about breaches of the law. We believe the attack was designed to target Syrian dissidents complaining about the government.
Kaspersky Lab experts discovered two kinds of exploits in total, with differences in shellcode (a small piece of code used as the payload when exploiting a software vulnerability).
Vulnerability Research Group Manager at Kaspersky Lab Vyacheslav Zakorzhevsky said, “The first exploit showed rather primitive download-and-execute payload behavior but the second one tried to interact with Cisco Meeting Place Express Add-In – a special Flash plugin for co-working, in particular, for joint viewing of documents and pictures on a presenter’s PC desktop. This plugin is completely legitimate, but in these particular circumstances it could be used as a spying tool. Moreover, we discovered, that this ‘second’ exploit works only if a certain version of Flash Player and CMP Add-In are installed on the attacked PC. This means that attackers probably aimed at a very limited list of victims.”
Immediately after discovering the first exploit, Kaspersky Lab specialists contacted Adobe representatives to inform them of the new vulnerability. After examining the information provided by Kaspersky Lab, Adobe acknowledged that the vulnerability has a zero-day status, and developed a patch which is now available on Adobe website. The CVE number of this vulnerability is CVE-2014-0515.
“Although we’ve only seen a limited number attempts to exploit this vulnerability , we’re strongly recommending users to update their versions of Adobe Flash Player software. It is possible that once information about this vulnerability becomes known, criminals would try to reproduce these new exploits or somehow get the existing variants and use it in other attacks. Even with a patch available, cybercriminals would expect to profit from this vulnerability because a worldwide update of software as widely used as Flash Player will take some time. Unfortunately this vulnerability will be dangerous for a while,” said Vyacheslav Zakorzhevsky.
It is the second time this year that Kaspersky Lab specialists have discovered a zero-day vulnerability. In February, the company’s specialists discovered CVE-2014-0497 – another zero-day vulnerability in Adobe Flash Player, which allows attackers to stealthily infect victim PCs.