CVE-2015-5119(Recent Adobe Flash 0-day) Exploit in the wild

We called out in our previous SonicAlert that CVE-2015-5119 is very easy to exploit. It’s not a surprise that the exploit kits have already updated their arsenal to include this CVE. Here’s an analysis of a sample used by Nuclear Exploit Kit:

As you can see, the sample is heavily obfuscated. While many times, decompilation of obfuscated swf exploits is not perfect, this time it was successful. We used FlashDevelop IDE to ‘debug’ this sample. First we exported the ‘Scripts’ and the ‘binaryData’ section from this exploit and created a new Flex ActionScript project.

This is a typical 2 stage exploit where stage 1 loads bytes from ‘binaryData’ and decrypts it. This decrypted data is the 2nd stage SWF file which actually contains the exploit. We can see the key being passed to the decrypt routine:

This decrypt routine returns a Bytearray which contains stage2 SWF file. We used Actionscript’s trace functionality to dump this array. A trace statement was injected in the decryption routine to print this array to log file:

The log dumps the bytes

Looking at it in a hex view, we can see a compressed hex file.

Let’s decompile this file:

We can clearly see the vulnerability being exploited.

Sonicwall team has created the following signatures that protects customers from this exploit.

  • [GAV] CVE-2015-5119.B_3 (Exploit)
  • [GAV] CVE-2015-5119.A_12 (Exploit)
  • [GAV] CVE-2015-5119.A_11 (Exploit)
  • [GAV] CVE-2015-5119.A_10 (Exploit)
  • [GAV] CVE-2015-5119.A_9 (Exploit)
  • [GAV] CVE-2015-5119.A_8 (Exploit)
  • [GAV] CVE-2015-5119.A_7 (Exploit)
  • [GAV] CVE-2015-5119.TTY (Exploit)
  • [GAV] CVE-2015-5119.A_6 (Exploit)
  • [GAV] CVE-2015-5119.A_5 (Exploit)
  • [GAV] CVE-2015-5119.A_4 (Exploit)
  • [GAV] CVE-2015-5119.A_3 (Exploit)
  • [GAV] CVE-2015-5119.C_2 (Exploit)
  • [GAV] CVE-2015-5119.C (Exploit)
  • [GAV] CVE-2015-5119.B_2 (Exploit)
  • [GAV] CVE-2015-5119.B (Exploit)
  • [GAV] CVE-2015-5119.A_2 (Exploit)
  • [GAV] CVE-2015-5119.A (Exploit)
  • [GAV] CVE-2015-5119.DH_2 (Exploit)
  • [GAV] CVE-2015-5119.DH (Exploit)

Two more Flash 0-days as a result of HackingTeam data leak

As we discusses in our previous blog on recent Adobe 0-day(CVE-2015-5119), there are two more vulnerabilities that surfaced from the same HackingTeam data leak:

  • CVE-2015-5122: Adobe Flash ActionScript3 opaqueBackground Use After Free Vulnerability
  • CVE-2015-5123: Adobe Flash Player BitmapData Remote Code Execution Vulnerability

All three vulnerabilities are use-after-free vulnerabilities; although they occur in different classes. These vulnerabilities trigger the bug by overriding the ‘valueOf()’ function of these classes. During the override, the associated object is either freed or relocated. This makes the associated address invalid which inadvertantly triggers the vulnerability.

Here’s an example of CVE-2015-5123 where a ‘BitmapData’ object is created and disposed by overriding ‘valueOf()’ function:

Sonicwall team has written following signature that protect our customers from these exploits:

  • 15380.CVE-2015-5119.B_3 Exploit
  • 15392.CVE-2015-5119.A Exploit
  • 15398.CVE-2015-5119.DH_2 Exploit
  • 15399.CVE-2015-5119.A_2 Exploit
  • 15400.CVE-2015-5119.B Exploit
  • 15404.CVE-2015-5119.C Exploit
  • 15410.CVE-2015-5119.C_2 Exploit
  • 15413.CVE-2015-5119.A_4 Exploit
  • 15415.CVE-2015-5119.A_5 Exploit
  • 15416.CVE2015-5119.SW Exploit
  • 15418.CVE-2015-5119.A_6 Exploit
  • 15419.CVE-2015-5119.TTY Exploit
  • 15420.CVE-2015-5119.A_7 Exploit
  • 15423.CVE-2015-5119.A_10 Exploit
  • 15424.CVE-2015-5119.A_11 Exploit
  • 15426.CVE-2015-5119.A_12 Exploit
  • 15550.CVE-2015-5122.SW Exploit
  • 15553.CVE-2015-5122 Exploit
  • 15670.CVE-2015-5123.A Exploit

How to Make Your Network Security Infrastructure Future-Ready

It is clear that today’s businesses require reliable network connectivity, and access to both corporate and Internet resources. Connections to and from business units, external customers and SOHOs are all equally important to ensure continuity. Business runs all day, every day, even in off hours. Most companies run operations around the clock, seven days a week, so it is important to realize that solid business continuity strategy and redundancy technology should be considered and implemented.

To enable business productivity, Internet access must be operating and available all of the time. This is sometimes referred to five nines (99.999) uptime. Because things break, and unforeseen events do occur, we need to create an architecture that is ‘highly available’ or up as much as possible, with failures foreseen ahead of time, and the only downtime is for planned maintenance.

Redundancy means different things to different people, but to SonicWall, it means having no single (or in some cases tertiary) point of failure from Layer 2 to Layer 7.

In this exercise at SonicWall World Software User Forum, in Austin, TX, we will dive into the new Firewall Sandwich design that combines the best of breed SonicWall next-gen firewall and SonicWall Networking switch technologies. In this architecture, we will create redundancy in your core/edge network, and review how to properly design and implement this technology in case of a disaster. We will also briefly discuss the failover and failback operation, which may be needed if or when any of the components within our SonicWall solution fail.

We invite you to attend this exclusive SonicWall “How to make your network security infrastructure future-ready” technical training session. Upon completion of this course, you will have in-depth knowledge and a clear understanding of how to implement your future-proofed, network-based scale-out security layer architecture. This is a highly resilient design that offers transparent security services to augment existing security solutions, separate security functions and provides added capacity via N+1 redundancy to solve your most complex and demanding data center requirements. The SonicWall solution delivers the following benefits:

  • Scalability, add more capacity as you go reusing existing equipment
  • Redundancy and resiliency
  • In line upgrade for both firewalls and switches, no need to take a system down for maintenance
  • Single point of management for the Firewall cluster, ability to enforce policies to multiple firewall cluster blades
  • Full security services capability

I look forward to seeing you in Austin for SonicWall World Software User Forum and follow the conversation for updates on Twitter @SonicWall #DWUF and #SonicWallWorld. Register today, and take advantage of the Buy One Get One offer today. If you purchase one pass to the SonicWall World Software User Forum, we will include one additional pass at no extra cost for a colleague.

How Next Gen Firewalls are Keeping Up with Ever Growing Pipes

Scaling security devices is much more difficult than scaling routers or switches. A router acts on the destination IP lookup only, a 32 or 128 bit fixed length value, whereas a switch acts on a 48 bit fixed length MAC address, looking up on the destination MAC and adding the source MAC to a lookup table. Those values are not just fixed length, but they also appear at the same place in a data frame.

Routers and switches therefore embraced silicon very early on. Custom chips were designed that are comprised from transistors that form logic gates such as NAND or OR gates. Those logic gates are hardwired on a chip. These chips are called Application Specific Integrated Circuits – or ASIC, for short.

The logic in an ASIC used for routers and switches are hardwired, very similar to electronic components on an old TV circuit board. Unlike in an old tube TV, those ASICs process digital data. They can extract extremely fast IP and MAC addresses or perform table routing and forwarding table lookups in real time. Real time means that the time to perform a function always takes the same time, regardless of the load and run time.

There are several drawbacks with ASICs, though: First, ASICs cannot be changed once they leave the foundry. Second, there is a long lead-time to developing an ASIC. ASICs are simulated in software but can only be tested when a real sample exists. Producing samples is very costly, hence a long time is spent on testing an ASIC in software emulation before the first sample is built. This means that the technology used in an ASIC might be two or three years old before an ASIC hits production. And third, the development costs of ASICs are very high which makes them expensive for low volume production and evolutional versioning. The same ASIC generation has to be amortized over many years. The span between ASIC generations can therefore be five or more years, specifically for ASICs that are made for only one vendor’s products and sees low production count.

While this works for routing and switching that has not rudimentary changed in a decade or two, and there are still routers and switches in production today, which outlived a decade in service, this approach cannot be utilized for security where new threats appear by the minute. Threats typically do not obey fixed length requirements or are found at the same place within a data frame. RFC3514 has not been widely adopted by the BlackHat community for some reason.

The solution is to use microprocessors. Microprocessors are completely flexible and can be programmed in an instance to perform various tasks. Early firewalls started on common office technology processors, mostly Intel i386, but also PowerPC. The early days of firewalls were extensions to routers or switches. Security rules matched on source and destination IP, IP protocol ID, as well as source and destination ports for UDP and TCP protocols all fixed length values appearing at the same place within a data frame. While those general-purpose processors were programmable, they were not fast, and depending on the underlying operating system, not predictable, in terms of timing. This created substantial delays and jitter between packets. Security vendors took a hint from router and switch vendors and created ASICs to perform value extraction, table lookup, and packet switching. During the stateful inspection days, ASIC based systems have been very successful.

Stateful packet inspection (SPI) works by tracking TCP connection state between a client and a server socket. A socket is the combination of an IP protocol and a port. The two most common protocols are stateless UDP and stateful TCP. Stateful inspection was controlling access between sockets – that means access between clients and server applications. The problem with stateful packet filters these days is that traffic uses few sockets and that clients need access to many more servers. Other applications such as peer-to-peer (P2P) file sharing can use any socket. For instance, an internal client does almost all connections on HTTP and HTTPS and needs access to the entire Internet. In addition, a malicious attack can come over a legitimate connection, e.g. browsing a reputable news site that has a banner ad with malicious code embedded.

Deep packet inspection (DPI) inspects the actual data stream that flows between a client and a server. DPI can identify the application independent of sockets, and can look within the data stream for malicious code, or categorize applications and content. Whereas DPI was originally an add on to SPI, these days it replaced SPI as SPI is no longer effective in stopping threats, or controlling traffic flows. The term Next-Generation Firewall in NGFW implies DPI functionality. This includes common services such as user, application, and content identification, as well as intrusion prevention, gateway antivirus, geo fencing, botnet detection, bandwidth controls, and such. Also today, SSL client decryption is more and more important to be able to look into the payload of the data stream. After the recent website disclosures, we have seen a steady trend of more encryption that according to some predictions might reach two thirds of all sites by the end of next year.

DPI inspection cannot easily be done in silicon, or in other words few sub-functions could be done in hardware. DPI systems often apply hardware coprocessors that do cryptography, pattern matches, table look-ups, and framing. Vendor specific custom ASIC’s are less common today due to the cost of development. Sometimes Field Programmable Arrays (FPGAs) are utilized instead since their development cycle is low, but performance is significantly lower than that of an ASIC system, and there is little benefit to modern multicore processors. Another strategy by vendors that are locked into ASICs, is adding a microprocessor core to their legacy silicon. Performance of those afterthoughts is poor.

To summarize: Stateful inspection is no longer effective in protecting a network. DPI only benefits for some repetitive sub-functions from ASICs, but custom ASIC development is expensive with multi-year amortization cycles. On the other hand, office computer and server processors are too slow for scaling DPI beyond a few Gbps. They are also expensive and consume a lot of power, which means they cannot be packaged very densely, limiting the maximum throughput of the system.

SonicWall solved this problem by creating a security platform that is free from legacy. It is not based on custom ASICs, but uses high volume ASIC functions, that does not use power hungry and expensive microprocessors, but uses large clusters of processors more commonly found in low power applications such as smart phones. This permits a high packaging density of massive parallel processing, both in general microprocessors as well as ASIC coprocessors, utilized for signature match, table lookup, cryptography, framing, hashing, and switching.

SonicWall utilizes Cavium’s Octeon systems-on-a-chip (SoC) with up to 32 individual MIPS64 cores. Multiple SoC systems can be combined. Systems can have up to eight processing blades with one Octeon processor each within the same small two or three RU hardware enclosure. Enclosures can be deployed individually, as A/P HA pairs, or clustered up in a security fabric with a combined 2048 cores and DPI throughput of over 300 Gbps.

A single pass security engine, Reassembly Free Deep Packet Inspection (RFDPI), for which SonicWall got a patent awarded, brings this streamlined hardware with massive processing ability to life. RFDPI processes from SonicWalls around the world share intelligence with each other, over 2,000,000 devices today, enabled by the SonicWall GRID cloud. The GRID also offers cloud services such as sandboxing an access to a signature base of over 21,000,000 signatures, growing: 40,000 new malware samples are analyzed every day.

The philosophy behind SonicWall is to offer price effective massive parallel processing power that is highly scalable, and enable it with sophisticated on-board software that is connected via the cloud.

Mobile Security Checklist to Minimize Risk

The number of mobile devices in the workplace is exploding and with this, a new frontier for cyber-attack is emerging that poses a significant risk to business. As the great philosopher and strategist SunTze wrote, “Know your enemy and know yourself and you can fight a hundred battles without disaster.”

Threat analysts are finding that malware isn’t just a problem for laptops any more. For example, reports indicate that the CloudAtlas campaign, a sophisticated advanced persistent threat that initially targeted windows machines, has made its way to mobile platforms including Android, Apple IOS and Blackberry systems. Our own SonicWall Security Threat Research Center uncovered the Android counterpart of the CloudAtlas campaign. This malware masquerades itself as an update for the popular messenger app Whatsapp, and in turn, spies on a victim’s device to obtain sensitive data,such as texts, contacts and calendar information, and passes it back to the attacker, creating a huge business risk.

Could you, or one of your employees unknowingly have a mobile device infected with malware harvesting your confidential business data?

Fundamentally, there are two key business risks that you need to protect from as workers go mobile. The first, is theft or loss of mobile data. The second, is mobile devices becoming conduits for malware attacks that affect corporate systems and data. So what are the mobile threats you need to be aware of to protect your business?

Here’s a checklist of threats you need to be prepared to tackle in the mobile worker era:

  1. Lost and stolen devicesNo surprise here. If a device is lost or stolen, and corporate data was stored on the device, there’s a risk of confidential data loss. An even bigger risk, is a lost or stolen device being used to gain access to corporate data and apps on the back end. Significantly more data could be impacted if an unauthorized user with a lost or stolen mobile device gains access to the data center. This is particularly problematic for businesses subject to regulatory compliance.
  2. Mobile malware and vulnerabilitiesAnother concern is rogue apps downloaded to devices containing information-stealing malware, such as the CloudAltas threat discussed above, or vulnerabilities with devices, OS design and 3rd party apps. These threats provide entree for attacks and can lead to data theft and downtime. Again, this is a risk for data on the device, but potentially an even bigger risk if the device becomes a conduit for malware to infect backend data systems and cause data loss or downtime.
  3. Data leakage through 3rd party appsCorporate data and apps co-mingling with personal data and apps on devices can also create risk and lead to corporate data leaking, either intentionally or unintentionally. For example, many social apps mine contact lists from other apps and invite contacts to join their service. With this, confidential customer contact information stored in a business app could unintentionally be “shared” to a personal social app, leaking customer contact information and potentially damaging a business’s reputation or violating regulatory rules.
  4. Insecure Wi-FiLastly, the riskof man-in-the middle attacks. Attackers can snoop data if traffic is sent over unencrypted networks such as public wifi. Data in-flight is likely the pulse of the business. It likely contains fresh, sensitive data, and may even contain data subject to legal or regulatory requirements for confidentiality. If that data is intercepted, it could be damaging to the business. Although the relative quantity of data lost or stolen in case of in-flight traffic interception is likely small, the potential for damage is still there. So, to protect in-flight data from interception, data should be encrypted.

Mobile Security Solution

So, now that we reviewed the top threats, how can you prepare to win the mobile security battle to come? To protect from these threats, the best defense is a good offense.

Secure container and encryption technologies such as Enterprise Mobility Management (EMM) can help isolate and secure business apps and data on mobile devices. This a great start, but company data and networks are still at risk if only on-device data protection is addressed. Security is an end-to-end mobile workflow challenge.

For comprehensive mobile security, in addition to EMM, deploy security and access control technologies in your IT infrastructure that authenticate users and interrogate devices, OSes, mobile apps and validate their integrity. Only grant VPN access to trusted users, devices and business apps to help protect from rogue access and malware attacks. Also deploy, next-gen firewalls to scan mobile traffic entering your network and block malware before it infects corporate systems and data. Next-gen firewalls can also scan mobile traffic entering your network and block malware before it infects corporate systems and data and block access to and from disreputable web applications and sites, adding another layer of protection.

For more information on the security and access solutions you need to enable mobile worker productivity while protecting from threats, read our eBook: SonicWall Secure Mobile Access.

How We Built a Self Healing Double Ring Helix w SonicWall Next Gen Firewalls

In this guest post, our customers Kelley Parkes, Director of Technical Operations (on the right) and Dave Rupert, Systems Engineer (on the left) at First Source, describes how their company built a site-to-site VPN with SonicWall NSAs and TZs to enable secure collaboration and failover protection to sites spread across the country.

When your company grows by acquisition, the way ours does, your IT group has to run fast and hard just to keep up with more users, more sites, more remote connections and a secure perimeter that keeps expanding.

We’ve recently switched from keeping-up mode to being ahead of the curve thanks to a combination of our own internal expertise,  SonicWall next-generation firewalls and implementation help from Cerdant. I figured a lot of the people following Tech Center are in the same boat, so I asked SonicWall to let me share what we’re doing.

An expanding security perimeter

Our company is a nationwide distributor of specialty foods and confections from manufacturers like Godiva, Ghirardelli and Lindt. When you buy candy at Walmart, Cracker Barrel and Bed Bath & Beyond, chances are it comes from First Source.

We started out with sites in Virginia and Tennessee. We merged with a company in Buffalo, New York, and then we acquired a California location. Now we cover the entire country with around 500 employees in four main warehouses, two remote warehouses, one retail store and our data center. That means that our security perimeter covers eight locations from one coast to the other.

We had been using the ZyXEL 35, which has a very simple firewall application. However, when we looked at the roadmap of functions we wanted to offer the business, we knew the ZyXEL wouldn’t handle enough of them:

  • Remote computing “” We had no secure VPN for remote users. We used simple port forwarding over the ZyXEL firewall to give users remote desktop access. That offered some security, but nothing near the encryption level we wanted from a secure VPN.
  • Protection beyond the perimeter “” There was no mobile security for users connecting on BYO devices outside of our perimeter.
  • Quality of service for VoIP “” We plan a move to voice over IP soon, so besides network security we needed the ability to carve out QoS for that.
  • Content filtering “” We wanted the ability to block access to sites that waste time and devour bandwidth. Even more important for PCI compliance, we needed to be able to check any personally identifiable information or outgoing data that looks like a credit card number or a Social Security number.

And then strategically, we wanted everybody to be able to collaborate across the same network. For all of these reasons, we decided to build out a site-to-site VPN.

How to build a resilient, site-to-site VPN

We knew we were going to upgrade from the ZyXEL, so we looked at products from vendors like Cisco and Barracuda. We ended up selecting  SonicWall NSA and TZ Series next-gen firewalls, mostly because of their secure VPN, which would make it easier for all of us to log in remotely anytime from anywhere and access in-house files, applications and printers. The support team at SonicWall pointed me to Cerdant and we chose them as our implementation partner.

Cerdant is dedicated to SonicWall operation and applications, and they’ve given us good ideas based on our needs. The hardware inventory for our site-to-site VPN goes like this:

  • NSA 4500 in Virginia
  • NSA 3500 in Tennessee
  • NSA 3600s in California and New York
  • TZ 205s in each of the remote warehouses locations, at our retail store and at the data center

All of our SonicWall firewalls are connected by MPLS and business-class high-speed internet circuits. We’ve used them to create a primary, internal, closed-loop network over dedicated, fiber-optic MPLS lines (10 Mbps), which cost about $1,500 per month per site on average. We lease a secondary loop over standard ISP circuits (100 Mbps down, 20 Mbps up) for about $350 a month. (The retail store connects through its local cable provider for about $75 a month.) The secondary is a fallback loop in case the MPLS connection drops for a few minutes or a few hours.

The best part is that the SonicWall firewalls can use a probe to detect when the primary connection goes down and can automatically failover to the secondary loop. In fact, I can think of three or four times in the last year that the MPLS loop has dropped for anywhere from ten to 40 minutes and we’ve flipped over to that secondary network of internet connections.

Cerdant has been a great partner for us. They’ve automated the SonicWall firewalls to fail over from the primary to the secondary loop, and then back to the primary after our carrier has restored the MPLS connection.

As I mentioned, we went with SonicWall firewalls mostly because of the secure VPN. I’m very glad we’ve also gotten a self-healing, double-loop network in the bargain.

Saved about $20,000 on hardware alone

We’ve seen other big advantages to deploying SonicWall throughout the company “” operational, IT and financial advantages.

On the operations side, it’s been much easier to support our service level agreement, which is our commitment to users that we’ll keep our systems up and running. With the double-loop network, we don’t lose connectivity between locations, so we have full business continuity in the event our network fails.

From an IT perspective, we’ve gotten so much more than just firewall hardware. We reap the benefits of SonicWall features like deep packet inspection, gateway antivirus, anti-spyware, bandwidth management, content filtering and secure VPN, as well as SonicWall’s continuous threat research.

Financially, we’ve saved $5,000 to $6,000 per location on load balancing equipment. Our self-healing, double-loop network configuration required load and link balancers, and we get those functions from the SonicWall firewalls, in addition to all of the firewall security features they offer. That has saved us at least $20,000 in building out our network.

Your turn

When I first started this project, I researched several forums and saw other sys admins and IT managers trying to figure out how to connect multiple sites and asking questions about failover protection and the best type of connectivity. I could see that many of my counterparts aren’t happy with what they have in place. We’re very pleased with what we’ve implemented with SonicWall and Cerdant, and I wanted to describe it as a viable option for configuring a resilient network.

How do you connect your remote locations? What site-to-site VPN configuration works for you? Let me know in the comments below.

Upatre.SMJ a Malware Hides in encrypted PNG Image

The Dell Sonicwall Threats Research team observed reports of a New Malware family named GAV: Upatre.SMJ actively spreading in the wild. This time attackers used a dropper to download the original Malware that hides in Image (encrypted PNG) files to avoid detection by Firewalls.

Infection Cycle:

The Malware uses the following icon:

Md5:

  • 051e79a2d44a8dba92e98ae9c4be2399 – Major Executable

Dropper:

  • 88ff4cfd4154c9b112a963700dfcd560 – Image PNG file

The Malware adds the following files to the system:

  • Malware.exe

    • %Temp%tzojedox.exe

    • %Temp%TZ9D-23.txt

  • Tzojedox.exe

    • %Temp%kiuwken.exe

    • %Temp%TZ9D-23.txt

  • Kiuwken.exe

    • C:WINDOWSenCSuFWrQQsXBxp.exe

The Malware adds the following key to the Windows registry to ensure persistence upon reboot:

Once the computer is compromised, the malware copies its own executable file to Temp folder.

The file tzojedox.exe is dropped after malware launches on the target system, the malware tries to download PNG encrypted files from its own C&C server such as following domains:

Here is an example of encrypted PNG file:

The malware tries to retrieves your computer name, version of your windows and your IP address then its transfers information to its own C&C server such as following IPs:

Command and Control (C&C) Traffic

Upatre.SMJ performs C&C communication over 443 and 80 ports. The malware sends your system information to its own C&C server via following format, here are some examples:

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Upatre.SMJ (Trojan)

Cross-Site Scripting in Apple CUPS Web Interface

Apple CUPS Web Interface written in CGI is vulnerable to reflected cross site scripting. While processing the GET request, if a URL contains an tag, the vulnerable CGI enters a while loop until it finds the closing double quote (“) and copies over all the characters without escaping.

Attacker can entice user to go through the URL containing exploit to execute the controlled script, which can lead to disclosure of information and impersonate the target.

Dell SonicWALL has released an IPS signature to detect and block exploitation attempts targeting this vulnerability. The signature is listed below:

0-day Flash Exploit From Hacking Team Data Leak (July 7, 2015)

HackingTeam has discovered a 0-day exploit in the wild in Flash Player. This exploit works against the most recent version of Flash Player(18.0.0.194). The exploit triggers a use-after-free vulnerability that affects the flash player.

The vulnerability occurs when an element of ByteArray of certain size is initialized with an object. This assignment happens first by saving the offset address of the array in a local variable. Then to calculate the value of the object, ‘valueOf()’ function is triggered against the object. This function is overriden where the code changes the length of the ByteArray and the array is relocated. This advertently invalidates the offset address thus triggering use-after-free vulnerability. With the vulnerability, it’s very easy to predict and control the address and thus making it very easy to exploit.

We are closely monitoring if there are any other exploits in-the-wild.

Sonicwall has written following signatures that protect our customers from this exploit:

  • SPY 1069 : Malformed-File swf.OT.29
  • SPY 1366 : Malformed-File swf.MT.16

This vulnerability is referred by CVE as CVE-2015-5119.

Deep Dive Into SonicWall Security at the SonicWall World 2015 Software User Forum

During my 14 years with SonicWall Security (formerly SonicWall), I’ve never seen a greater need for powerful network security, and the SonicWall World Software User Forum provides a great opportunity for you to mingle with some of the most powerful minds in security today.

We’re excited to finally be able to host a dedicated security customer forum at this event. We’ve had a fantastic year and we can’t wait to show you our new lineup of SonicWall TZ Series firewalls, new SonicWall Secure Mobile Access (SMA) appliances and a few yet-to-be-released products. Some of the break-out sessions that I’m especially looking forward to are: Strategic Direction & Vision, SonicWall Next-Generation Firewall Technology overview, and How to make your network security future ready and, of course, the top secret band that will be performing.

Register for the SonicWall Security Track at the SonicWall World Software User Forum 2015 and learn how to address these security challenges head-on with direct access to engineers and experts for the security products you depend on every day. Some of the highlights include:

  • Learn practical methods for getting the most out of your SonicWall device
  • Get a sneak peak at the newest tech
  • Participate in hands-on tech labs

Experience the visionary keynotes from our leaders and industry experts in the SonicWall World 2015 general sessions Explore the SonicWall World Solution Showcase with partner and product demos highlighting the innovation and cutting-edge technology in mobility, cloud, big data, networking and more. Plus, enjoy the music of our secret special band at the Opening Night concert.

Take advantage of the Buy One Get One offer today. If you purchase one pass to the SonicWall World Software User Forum, we will include one additional pass at no extra cost for a colleague.

And here are more good reasons to not to miss out on SonicWall’s annual conference:

  • Attend 13 in-depth, security-specific sessions including:
    • Technology and roadmap deep dive for SonicWall next-gen firewalls
    • Advanced SonicOS management best practices
    • Advanced SuperMassive deployment best practices
    • Global Management System (GMS) as an enterprise firewall management console
    • Creating an enterprise “Clean VPN” solution using SonicWall products

There will be interactive discussions and access for you to speak to SonicWall product engineers, experts and executives. They will shed light on product direction and roadmaps for SonicWall products.

During my tenure, I’ve met many of you in-person, and I look forward to seeing you again. For those of you I haven’t met, I hope you will register for the event and join me for a handful of truly informational days at the Software User Forum.

It’s all yours from Oct. 20 through Oct. 22
at the Hilton Hotel in Austin, Texas.
Come help us paint the town blue!
(SonicWall blue, please)