On October 12, McAfee Labs learned of proof-of-concept code exploiting a newly patched Flash Player vulnerability. Adobe had patched this vulnerability in its latest security update on October 8. Our research team rapidly responded to this threat with an in-depth analysis of the root cause and the degree of exploitability.
This specific vulnerability occurred due to a coding fault in Adobe’s ActionScript virtual machine (a.k.a. The Tamarin Project). Specifically, it lies in the way that AVM2 verifies the opcode OP_inclocal or OP_declocal. A checking logic step was mistakenly disabled by a macro. As a result, a U30 parameter was used directly without a bounds check, which leads to various code execution situations.
We assess the threat, CVE-2012-5271, by the following:
- The root cause is quite simple. It’s in the core of the AVM (verification), so every platform’s Flash Player (such as the built-in Flash Player on Chrome and Windows 8) is affected.
- AVM is a scriptable virtual machine. Because the coding fault lies in its core verification process, attackers may have many opportunities to develop a working exploit.
We strongly suggest users update their Flash Players as soon as possible. For McAfee customers, a User Defined Signature was released late on Friday, Oct 12 to deliver our protections. The signature name is “UDS-HTTP: Adobe Flash Player ActionScript Opcode OP_inclocal and OP_declocal Verifying Code Execution Vulnerability.”
McAfee Labs will continue to monitor the threat of this vulnerability.
I’d like thank my colleagues Yichong Lin, Bing Sun, XiaoBo Chen, and Chong Xu for their collaboration on this analysis.