Kaspersky Lab discovered and blocked zero-day vulnerability in Adobe Flash Player

Moskau/lngolstadt, (PresseBox) - Kaspersky Lab's heuristic detection protection subsystem has successfully blocked attacks via a zero-day vulnerability in Adobe Flash software. Kaspersky Lab researchers discovered this loophole, which was targeted by exploits distributed via a legitimate government website created to collect public complaints about breaches of the law in the Middle Eastern country.

In mid-April Kaspersky Lab experts analyzing data from Kaspersky Security Network [1], discovered a previously unknown exploit. On closer examination it turned out that the exploit was using a previously unknown vulnerability in the popular multimedia software Adobe Flash Player. The vulnerability exists in Pixel Bender - an old component, designed for video and photo processing.

Further investigation found that exploits were distributed from a website created in 2011 by the Syrian Ministry of Justice to enable people to lodge complaints about breaches of the law. We believe the attack was designed to target Syrian dissidents complaining about the government.

Kaspersky Lab experts discovered two kinds of exploits in total, with differences in shellcode (a small piece of code used as the payload when exploiting a software vulnerability).

"The first exploit showed rather primitive download-and-execute payload behavior but the second one tried to interact with Cisco MeetingPlace Express Add-In - a special Flash plugin for co-working, in particular, for joint viewing of documents and pictures on a presenter's PC desktop.

This plugin is completely legitimate, but in these particular circumstances it could be used as a spying tool. Moreover, we discovered, that this 'second' exploit works only if a certain version of Flash Player and CMP Add-In are installed on the attacked PC. This means that attackers probably aimed at a very limited list of victims,"

said Vyacheslav Zakorzhevsky, Vulnerability Research Group Manager at Kaspersky Lab.

Immediately after discovering the first exploit, Kaspersky Lab specialists contacted Adobe representatives to inform them of the new vulnerability. After examining the information provided by Kaspersky Lab, Adobe acknowledged that the vulnerability has a zero-day status, and developed a patch which is now available on Adobe website. The CVE number of this vulnerability is CVE-2014-0515 [2].

"Although we've only seen a limited number attempts to exploit this vulnerability , we're strongly recommending users to update their versions of Adobe Flash Player software. It is possible that once information about this vulnerability becomes known, criminals would try to reproduce these new exploits or somehow get the existing variants and use it in other attacks. Even with a patch available, cybercriminals would expect to profit from this vulnerability because a worldwide update of software as widely used as Flash Player will take some time.

Unfortunately this vulnerability will be dangerous for a while," said Vyacheslav Zakorzhevsky.

More information about this recently discovered zero-day vulnerability in Adobe Flash can be found here: http://www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks

It is the second time this year that Kaspersky Lab specialists have discovered a zero-day vulnerability. In February, the company's specialists discovered CVE-2014-0497 [3] - another zero-day vulnerability in Adobe Flash Player, which allows attackers to stealthily infect victim PCs.

Heuristic detection subsystem

The heuristic detection subsystem is a part of the antivirus engine used in multiple Kaspersky Lab products for home and corporate users, such as Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Endpoint Security for Business and others. Just like a traditional antivirus this system uses a database of signatures to detect malicious software. But while antivirus technology usually requires a signature for each individual piece of malware, no matter how closely related, heuristic detection can cover whole ranges of malicious programs. It does this using heuristics - special signatures that detect not only individual pieces of malware but also the whole collections of malicious programs grouped according to a list of special features. The heuristic signature which covered the behavior of the new zero-day exploit in Adobe Flash was added to Kaspersky Lab databases as early as January.

Moreover, during a special test conducted by Kaspersky Lab' specialists it was discovered that exploits using CVE-2014-0515 are detected accurately by Kaspersky Lab's Automatic Exploit Prevention technology [4] - another powerful tool to detect unknown threats.

In November 2013 the same technology successfully blocked attacks using a zero-day vulnerability in

Microsoft Office software. Also at the end of 2012 it proactively blocked [5] several malicious components which - as it was discovered later - belonged to Red October [6], a large-scale cyber-espionage campaign detected by Kaspersky Lab researchers in January 2013.

[1] http://www.kaspersky.com/images/KESB_Whitepaper_KSN_ENG_final.pdf

[2] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2014-0515

[3] http://www.securelist.com/en/blog/8177/CVE_2014_0497_a_0_day_vulnerability

[4] http://media.kaspersky.com/pdf/kaspersky-lab-whitepaper-automatic-exploit-prevention.pdf

[5] http://www.kaspersky.com/about/news/virus/2013/Kaspersky_Labs_Technology_Proactively_Blocks_Attacks_via_Zero-Day_Vulnerability_in_Microsoft_Office

[6] http://www.securelist.com/en/blog/785/The_Red_October_Campaign_An_Advanced_Cyber_Espionage_Network_Targeting_Diplomatic_and_Government_Agencies

Kaspersky Labs GmbH

Kaspersky Lab ist der weltweit größte, privat geführte Anbieter von Endpoint-Sicherheitslösungen. Das Unternehmen zählt zu den vier erfolgreichsten Herstellern von Sicherheitslösungen für Endpoint-Nutzer.* In seiner über 16-jährigen Unternehmensgeschichte hat Kaspersky Lab zahlreiche Innovationen im Bereich IT-Sicherheit auf den Weg gebracht und bietet effektive digitale Sicherheitslösungen für Großunternehmen, KMU und Heimanwender. Kaspersky Lab, mit Holding in Großbritannien, ist derzeit in rund 200 Ländern auf der ganzen Welt vertreten und schützt über 300 Millionen Nutzer weltweit.

Weitere Informationen zu Kaspersky Lab finden Sie unter http://www.kaspersky.com/de/. Kurzinformationen erhalten Sie zudem über www.twitter.com/... und www.facebook.com/....

Aktuelles zu Viren, Spyware, Spam sowie Informationen zu weiteren IT-Sicherheitsproblemen und -Trends sind unter www.viruslist.de und auf dem Kaspersky-Blog auf http://blog.kaspersky.de/ abrufbar.

* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2012. The rating was published in the IDC report "Worldwide Endpoint Security 2013-2017 Forecast and 2012 Vendor Shares (IDC #242618, August 2013). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2012.

Press releases you might also be interested in

Weitere Informationen zum Thema "Security":

Sicherheit und Datenschutz in Multi-Cloud-Umgebungen

Un­ter­neh­men set­zen im­mer stär­ker auf hy­bri­de IT-Land­schaf­ten mit ei­ner Kom­bi­na­ti­on aus ei­ge­nen Re­chen­zen­t­ren und der Pri­va­te Cloud für be­stimm­te ver­trau­ens­wür­di­ge Da­ten so­wie der Pu­b­lic Cloud, die Echt­zeit­kom­mu­ni­ka­ti­on er­laubt. Das er­mög­licht zwar fle­xi­b­les Ar­bei­ten, sorgt aber auch für neue Si­cher­heits­ri­si­ken.


Subscribe for news

The subscribtion service of the PresseBox informs you about press information of a certain topic by your choice at a choosen time. Please enter your email address to receive the email with the press releases.

An error occurred!

Thank you! You will receive a confirmation email within a few minutes.

I want to subscribe to the gratis press mail and have read and accepted the conditions.