Adobe Type Confusion Vulnerability CVE-2016-1019 Exploited in the Wild


A critical vulnerability is reported in Adobe’s Flash Player. The CVE identifier for this vulnerability is CVE-2016-1019. This vulnerability applies to Windows, Mac, Linux, as well as Chrome OS. An attacker who successfully exploits this vulnerability can execute remote code and potentially take over the system. Versions and before are vulnerable.

Exploits of this vulnerability has been seen in the wild. Some examples below:

  • 9d7561f5613114431bf906ede4bc1c40208a9e35
  • 7021457e03445f8f10e38cf5aed4a60a757ea326
  • 8670993b2e63e32260685a80b78d15adf5742a6a
  • 2173970148947e7954ac028fc2fd855445897be1

Although it is exploited in the wild, a mitigation that was introduced in the Flash Player prevents the exploitation of this vulnerability.

The exploits are obfuscated as usual. However, it is clear to see the attempts to exploit this vulnerability:

As you can see above, the code attempts to load bytes from ‘var_51’ which essentially points to one of the bytes arrays in ‘binaryData’ section within the SWF file. This is another SWF file embedded inside:

Let’s load this embedded SWF:

This is a heavily obfuscated file. The nature of the vulnerability requires two SWFs to work together. The latter SWF is merely the second part which triggers the vulnerability.

Dell Sonicwall team as created following signatures that protect our customers from these expoits:

  • CVE-2016-1019.A_4(Exploit)
  • CVE-2016-1019.A_3
  • CVE-2016-1019.A_2
  • CVE-2016-1019.A
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.