Adobe has recommended that its Flash customers update to the latest version, which addresses a vulnerability (CVE 2012-1535) in the ActiveX component of the Flash player. This flaw could cause the application to crash and potentially allow an attacker to take control of the affected system.
Overview of the attack.
We have also observed that the vulnerability is being actively exploited in the wild. The attack is carried out by opening a malicious doc file that contains a Flash file as shown below:
The malicious Flash file.
The uncompressed small web format (SWF) file has a DOABC, tag which contains the action script commands that are used by the exploit to spray the shellcode into memory.
The action script.
The loaded SWF file attempts to exploit Flash player vulnerability CVE 2012-1535, which can allow an attacker to gain control and execute the shellcode.
Control is transferred to shellcode.
After gaining control, the shellcode uses a 256-byte key to decrypt the embedded payload, drops a malicious file in the %TEMP% location, and executes it.
The 256-byte key.
Finally, it opens a fake document to deceive the user from seeing any malicious activities. These crafted documents typically arrive as email attachments. Users should always exercise caution when opening unsolicited emails and unknown links. McAfee products detect these exploits as Exploit-CVE2012-1535.