Zero-day vulnerability in Adobe Flash Player

Memory corruption
CVE-2011-0609

The vulnerability was used o target RSA. Two phishing emails with Microsoft Excel document with exploit were sent to two different groups of employees. The document with exploit code was named "2011 Recruitment plan.xls".

Known malware:

Exploit:SWF/CVE-2011-0609
Kaspersky Lab products detected the variants as тАЬTrojan-ropper.MSExcel.SWFDropтАЭ.

Vulnerability details

Advisory: SB2009031401 - Remote code execution Adobe Flash Player

Vulnerable component: Adobe Flash Player

CVE-ID: CVE-2011-0609

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-119 - Memory corruption

Description:

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error in authplay.dll component. A remote attacker can create a specially Flash (.swf) file embedded in a Microsoft Excel (.xls) file, trick the victim into opening it, trigger memory corruption, and execute arbitrary code on the system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Known APT campaigns:

RSA breach

The stolen data was related to the SecurID technology.

The attack is believed to be performed by China based APT threat group.

Public Exploits:

- Adobe Flash Player - AVM Bytecode Verification (Metasploit) [Exploit-DB]

External links:

http://www.adobe.com/support/security/advisories/apsa11-01.html
http://www.adobe.com/support/security/bulletins/apsb11-06.html
http://www.kb.cert.org/vuls/id/192052
http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html
http://blogs.adobe.com/security/2011/03/background-on-apsa11-01-patch-schedule.html
https://cxsecurity.com/issue/WLB-2011030180
https://vimeo.com/22160459
http://m.2cto.com/Article/201104/87463.html
https://www.cnet.com/forums/discussions/security-advisory-for-adobe-flash-player-reader-acrobat-5204...
http://remove-malware-removal.com/post/How-to-Remove-SWFExploit.CVE-2011-0609.A-Instantly_14_214388....
https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/BROWSER/ADOBE_FLASHPLAYER_AVM
https://blogs.rsa.com/anatomy-of-an-attack/

About zero-day vulnerabilities

Zero-day vulnerability is an undisclosed vulnerability in software that hackers can exploit to compromise computer programs, gain unauthorized access to sensitive data, penetrate networks, etc. We consider vulnerability a zero-day when there is no solution provided from software vendor and the vulnerability is being actively exploited by malicious actors.

Zero-day candidate is a potential zero-day vulnerability in software which might have been used in targeted attacks, however there is no evidence to support this suggestion.