Analysis of Latest Adobe Flash Vulnerability CVE-2014-0497 (Feb 7, 2014)

By

Dell Sonicwall Threats Research Team has analyzed an Integer Underflow Vulnerability (CVE-2014-0497) in Adobe Flash.
This is the latest vulnerability that affects Flash Player versions before 12.0.0.44 and 11.2.202.336.

Flash Specification supports the following formats, ZWS(LZMA compression), CWS(Zlib compression), FWS(uncompressed).

Flash also supports ActionScript ByteCode embedded in a Flash file which is run by ActionScript Virtual Machine.
This vulnerability can be exploited by creating malformed ActionScript shown by the following disassembly.

We observed following crashes while debugging both IE and Flash Player.

A remote attacker can exploit this vulnerability by creating a malformed SWF file and cause arbitrary code execution.

We have implemented following signatures to detect the attack.

  • IPS:9996 Thirdbase C&C Traffic
  • GAV:16454 Malformed.swf.MP.91
  • GAV: 36030 Malformed.swf.MP.92
  • GAV: 36037 Malformed.swf.MP.93
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.