CVE-2014-0497 – a 0-day vulnerability

A short while ago, we came across a set of similar SWF exploits and were unable to determine which vulnerability they exploited.

We reported this to Adobe and it turned out that these ITW exploits targeted a 0-day vulnerability. Today, Adobe released a patch for the vulnerability.

This post provides a technical analysis of the exploits and payload that we discovered.

All in all, we discovered a total of 11 exploits, which work on the following versions of Adobe Flash Player:

11.3.372.94
11.3.375.10
11.3.376.12
11.3.377.15
11.3.378.5
11.3.379.14
11.6.602.167
11.6.602.180
11.7.700.169
11.7.700.202
11.7.700.224

All of the exploits exploit the same vulnerability and all are unpacked SWF files. All have identical actionscript code, which performs an operating system version check. The exploits only work under the following Windows versions: XP, Vista, 2003 R2, 2003, 7, 7×64, 2008 R2, 2008, 8, 8×64. Some of the samples also have a check in place which makes the exploits terminate under Windows 8.1 and 8.1 x64.


Operating system version check algorithm

Read more: CVE-2014-0497 – a 0-day vulnerability

Story added 5. February 2014, content source with full text you can find at link above.