A Quick Analysis of the Flash Player Opcode-Verifying Code Execution Vulnerability

On October 12, McAfee Labs learned of proof-of-concept code exploiting a newly patched Flash Player vulnerability. Adobe had patched this vulnerability in its latest security update on October 8. Our research team rapidly responded to this threat with an in-depth analysis of the root cause and the degree of exploitability.

This specific vulnerability occurred due to a coding fault in Adobe’s ActionScript virtual machine (a.k.a. The Tamarin Project). Specifically, it lies in the way that AVM2 verifies the opcode OP_inclocal or OP_declocal. A checking logic step was mistakenly disabled by a macro. As a result, a U30 parameter was used directly without a bounds check, which leads to various code execution situations.

We assess the threat, CVE-2012-5271, by the following:

  • The root cause is quite simple. It’s in the core of the AVM (verification), so every platform’s Flash Player (such as the built-in Flash Player on Chrome and Windows 8) is affected.
  • AVM is a scriptable virtual machine. Because the coding fault lies in its core verification process, attackers may have many opportunities to develop a working exploit.

We strongly suggest users update their Flash Players as soon as possible. For McAfee customers, a User Defined Signature was released late on Friday, Oct 12 to deliver our protections. The signature name is “UDS-HTTP: Adobe Flash Player ActionScript Opcode OP_inclocal and OP_declocal Verifying Code Execution Vulnerability.”

McAfee Labs will continue to monitor the threat of this vulnerability.


I’d like thank my colleagues Yichong Lin, Bing Sun, XiaoBo Chen, and Chong Xu for their collaboration on this analysis.

Targeted Attacks Make WinHelp Files Not So Helpful

Last year Symantec reported on the use of the Windows Help File (.hlp) extension as an attack vector in targeted attacks. Symantec telemetry is now increasingly seeing this attack vector being used in targeted attacks against industry and government sectors. The nefarious WinHelp files being used in these targeted attacks are detected by Symantec as Bloodhound.HLP.1 and Bloodhound.HLP.2.

Figure 1. Zip file attachment with malicious .hlp file

The increase in the use of WinHelp files as an attack vector can be attributed to attackers who do not require the use of an exploit to successfully compromise a computer. Attackers use social engineering to attempt to dupe a victim into opening a Windows help file contained within a targeted email. The functionality of the help file permits a call to the Windows API which, in turn, permits shell code execution and the installation of malicious payload files. This functionality is not an exploit, but there by design. Microsoft is already aware of the security implications of this functionality, and as far back as 2006 began to phase out WinHelp as a supported platform. However, the phase out has not stopped attackers from seeing WinHelp as an attractive means of attacking targets.

Figure 2. Bloodhound.HLP.1 and Bloodhound.HLP.2 detection heatmap

While Symantec continues to see an increase in this attack vector in the wild, we have identified two main threats in particular using this technique: Trojan.Ecltys and Backdoor.Barkiofork. Both threats are known to be limited to targeted attacks against industry and government sectors.

As always, it is recommended that you keep your antivirus updated and use the latest Symantec technologies to ensure the best possible protection against such threats. If you believe that you have been affected by any of the threats mentioned and require further assistance, please contact Symantec.

Who Bought Your Politician? Check With Our Embeddable Widget

Ask politicians whether campaign contributions influence their decisions, and they’ll tell you certainly not.

Ask any citizen, and they’ll likely give the opposite answer.

With that in mind, we’re re-introducing a web-based embeddable widget — for anybody to use — that lists the top 10 donors and their contributions to any member of the House and Senate, their opponents, and the presidential candidates. Wired updated the widget in conjunction with Maplight, the Berkeley, California-based nonprofit dedicated to following money and politics.

“Corporate influence in politics has gone off the charts, and it’s more important than ever for voters to understand who is financing candidates,” said Evan Hansen, editor in chief of Wired.com. “Maplight has done the hard work of compiling the data. At Wired, we’re happy to help get that information out to the wider public, and share it as broadly as possible with this web-based embeddable widget.”

The widget is free to steal and comes with a Creative Commons license. The widget displays a shadow outline of the politician adorned with NASCAR-style logos of some of the top donors giving that candidate money.

Maplight pulls down up-to-date campaign-financing figures from the Federal Election Commission, which are fed into a database so the widget stays current.

“In just a few weeks, voters will confront a ballot filled with candidates whose campaigns have been paid for by wealthy donors. People deserve to know the truth about whose interests their candidates are really representing,” said Daniel Newman, president and co-founder of MapLight. “We’re proud to work with Wired to give voters a tool they can use to draw back the curtain on the moneyed influence plaguing our political system.”

The widget shows where candidates are ranked in terms of how much money they’ve raked in compared to their peers. It also shows how they rank among all federal candidates.

President Barack Obama, for example, comes in first for presidential candidates, having garnered $201 million. His GOP rival, Mitt Romney, comes in second for presidential candidates with $150 million. Not surprisingly, the two rank first and second among all candidates for federal office.

When it comes to the top-10 donor lists, the total from each company or organization includes donations from individual workers and a firm’s Political Action Committee, if it has one. Goldman Sachs and its PAC has given Romney nearly $544,000 — Romney’s top contributor.

The largest contributors to the president were government employees, at more than $2 million.

The Supreme Court ruled in 2010 that the First Amendment prohibited the government from limiting contributions from unions and Political Action Committees to political campaigns that are independent of an individual’s campaign. Of note, however, the widget does not keep track these types of independent expenditures.

We introduced the first version of the widget in 2010, with Maplight’s help. But that one only listed incumbents and did not have challengers, unlike the new widget. The older version was viewed millions of times.

When we unveiled the original widget, we used it to produce a story about federal funding and a controversial helicopter — Follow the Money: Pork-Powered Pig Preps for Flight, which highlighted pay-to-play contributions to select politicians from defense firms hoping to win a contract to build the next Marine One, the president’s personal helicopter.

What we learned was something we suspected and knew all along: There is a correlation to politicians’ voting records and where they get their money.

And we’re giving away the widget to help you prove it in other cases, as well.

French Statistics Show Prevalence of Threats

On the occasion of the establishment of the French-language McAfee “Cybervigilance” blog, I offered to my compatriots some statistics related to France that cover the first three quarters of 2012. Below you’ll find these figures for those who don’t understand the language of Molière.

As of September 30, nearly 150,000 suspicious Internet addresses hosted in France were analyzed by McAfee. There were only 50,000 in late 2011. 73 percent of the current ones are assigned with a maximum risk.

Nearly 70 percent of these URLs hide malware. About 20 percent of them are used in phishing campaigns.

These 150,000 URLs are associated with about 50,000 domains. Just in France, McAfee has added more than 10,000 URLs monthly, which correspond to nearly 2,700 suspect domains each month.

Linked to these URLs, more than 8,000 malware ready to download have been identified in 2012. The two most prevalent:

  • Generic.dx (E4E63BFB0669F2939EBE433D289E49E0)
  • HTML/IFrame.L Trojan (4447FD93D7CA7BAFE66CA119E8303F83)

Regarding phishing, the main worldwide targets using French URLs are eBay, Paypal, Wells-Fargo, American Express, and ADP (Automatic Data Processing). But France is also a target for cybercriminals. In 2012, the most encountered malware pinpointed in France were:

  • Generic.dx!b2az (A75F9BFCFCEAEBBA8749D0705F5AA1E0)
  • W32/Conficker.worm!inf (92B1CA5033820F474F79B1AA8EE44A66)
  • ZeroAccess (11028C6A84A967070CB1286550F2058F)
  • Generic PUP.z!ms (5ED3CEAAAEB87B6D37F806E0EB00F05C)
  • Generic Downloader.x!dze (70535D0798332779DDE87B1435C3627E)
  • W32/Bactera.worm!a (BDDD44CC65A56530ABEBE544DBFA13D1)
  • Adware-Tuto4PC (C0C5903D963030A38CFBBEECC2C1267B and 04E45C5782A0040016FF9B140876CEDF)

In France, the main targets of phishing were (in alphabetical order):

  • BNP Paribas
  • Credit Agricole
  • Electricité de France
  • Free
  • La Banque Postale
  • LexisNexis
  • Meetic
  • Orange
  • SFR
  • VISA France
  • Wistee

The spam volume sent from France by infected computers connected to botnets has been stable since the beginning of the year, despite a slight peak in the second quarter.

The number of new computers joining botnets is decreasing. The two main botnet families are Festi and Cutwail.

After looking at these figures, it’s no surprise that protecting one’s computer is mandatory in France just as in any other country.