Monday 18 March 2013

2 x Adobe Zero Day Exploits


If you are working in computer security and still don’t have heard about the latest Adobe Flash 0days, aka CVE-2013-0633 and CVE-2013-0634, then you should change of job ! These vulnerabilities were found exploited in targeted attacks through spear phishing email messages targeting several industries including the aerospace one.
One of the e-email attached Word document was using the 2013 IEEE Aerospace Conference schedule, and another reported sample was related to online payroll system of ADP US company, to exploit CVE-2013-0633

Adobe fixed the vulnerabilities in APSB13-04 the 7 February, but the vulnerabilities were not found massively exploited in Exploit Kits. Also there was a confusion,  by anti-virus vendors and security researchers, regarding CVE-2013-0633 and CVE-2013-0634 detection. But as mentioned in Adobe APSB13-04 CVE-2013-0633 was only exploited by been embedded in Word documents and CVE-2013-0634 was exploited through HTML web pages and by been embedded in Word documents.
So as nobody as seen CVE-2013-0633 working outside a Word document, I will suppose that the vulnerability I discovered exploited in Gong Da exploit kit is potentially a fork of CVE-2013-0633 or could be CVE-2013-0634.


Here is the new code in Gong Da exploit kit.
Capture d’écran 2013-02-25 à 23.29.30
If you take a look at the ActionScript of “myrF03.swf” (506fe8f82ea151959c5160bc40da25b5) you will see some similarities with CVE-2013-0633, like the “ByteArrayAsset” mentioned by MalwareMustDie, or the well-known “LadyBoyle” function.
Capture d’écran 2013-02-26 à 00.10.49
Capture d’écran 2013-02-26 à 00.11.03


Users should update their flash if it does not do so automatically. The affected versions and platforms are as follows
  • Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.261 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.36 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.31 and earlier versions for Android 3.x and 2.x
CVE 2013-0634 utilises Microsoft Office documents that when opened causes a malicious flash file to be executed. CVE 2013-0633 requires the malicious flash object to be hosted on a website.




at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Easy Steps to create VPN in Digital Ocean

1.  Create a account in Digital Ocean.        http://www.digitalocean.com/? refcode=990114176055 2.  Create a instance or drop...