Adobe patches two vulnerabilities being exploited in the wild

February 8, 2013 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Yesterday, Adobe released a patch for Adobe Flash that fixed a zeroday vulnerability that was being exploited in the wild. According to Adobe, CVE-2013-0633 is being exploited using Microsoft Office files with embedded flash content delivered via email. They are also aware of CVE-2013-0634 being exploited trough web browsers such as Firefox and Safari on MacOSX. FireEye released some information a few hours ago.

We found several Microsoft Office files containing the exploit that seems to be part of a spearphishing campaign targeting several industries including the aerospace one.

One of the files was using the 2013 IEEE Aerospace Conference schedule as a lure to trick the user into opening the file. Here is the content displayed to the user.

Another sample is related with an online payroll system used by several companies in the US.

As we previously said, the .doc files contain an embedded flash file with no compression or obfuscation. The flash file has an embedded executable file that is the actual payload delivered to the victim. It is worth mentioning that the executable file isn’t obfuscated at all that means most of the security products should be able to detect this threat using generic signatures.

The flash files contain several ActionScript classes that checks for specific Flash and operating system versions and specific code to trigger the exploit.

The code contains several references to “Lady Boyle” who is a character in the computer game Dishonored.

One of the payloads used is an executable signed with a fake certificate from a South Korean company called MGAME. We have seen this certificate dozens of times in the past as part of targeted attacks including NGO’s to sign several RAT files including PlugX.

The sample connects to ieee[.]boeing-job[.]com (C&C):

 

We will keep you up to date as we discover new information related with this attack.

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL