Quantcast
Viewing all articles
Browse latest Browse all 5094

Adobe Zero-day Used in LadyBoyle Attack

Yesterday, Adobe released an out of cycle patch that fixed two zero-day vulnerabilities (CVE-2013-0633, CVE-2013-0634) for Adobe Flash Player 11.5.502.146 and earlier versions for both Windows and Macintosh. The patch was released because the zero-days were being actively exploited for attacks in the wild. Symantec recommends applying the patch immediately. 

Reports of the attack seen in the wild using CVE-2013-0633 have been dubbed “LadyBoyle” following FireEye’s initial analysis of the attack. In the analysis they identified a class file, with the name LadyBoyle, that contained the exploit code. Symantec can confirm that these exploits were actively being distributed in targeted attacks in the wild. Figure 1 shows an example of a targeted attack email with a Word document attachment that contains CVE-2013-0633. Symantec Mail Security for Microsoft Exchange blocked the attack on February 4.
 

Image may be NSFW.
Clik here to view.

Figure 1. Targeted email containing exploit
 

If the targeted attack was successful and a victim opened the attached document, the flash object contained within the document would execute the flash zero-day (CVE-2013-0633), as seen in figure 2.
 

Image may be NSFW.
Clik here to view.

Figure 2.  Targeted attack using CVE-2013-0633
 

As seen in Figure 2, Symantec has detections in place for the stages of this attack as Trojan.Mdropper, Trojan.Swifi, and Backdoor.Boda. Once a system has been compromised with Backdoor.Boda it will contact a command-and-control (C&C) server hosted at iee.boeing.job.com, which is currently offline. The following intrusion prevention signature (IPS) will be released later today for CVE-2013-0634, which is known to be actively delivered through malicious Flash (SWF) content hosted on websites:

26455 - Web Attack: Adobe SWF RCE CVE-2013-0634 2

We are currently investigating further protections for this zero-day and will provide an update to this blog when possible. As always, Symantec advises users to ensure that operating systems and software are kept up to date and to avoid clicking on suspicious links and opening suspicious email attachments.


Viewing all articles
Browse latest Browse all 5094

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>