Monthly Binary Analysis Update (February)

By Carsten Eiram

February is (long) gone and it's therefore time to re-cap on our Binary Analysis feats in the recent month.

This wasn't a terribly busy month, but 22 analyses were still issued and two of the analysed vulnerabilities were particularly interesting.

Adobe Reader/Acrobat JBIG2 Stream Array Indexing Vulnerability
(SA33901 / CVE-2009-0658)
This vulnerability was actively being exploited as a 0-day vulnerability for a long time and was just patched in some versions yesterday (the remaining patches should be available on 2009-03-18).

As the first exploits being spotted were using JavaScript to make code execution more reliable, many sources recommended users to disable JavaScript support in Adobe Reader/Acrobat to prevent exploitation. However, shortly after my team proved during the Binary Analysis process that exploitation was possible to achieve in a reliable manner even without using JavaScript. More about this can be found here.

Internet Explorer CFunctionPointer Object Handling Vulnerability
(SA33845#1 / CVE-2009-0075)
This vulnerability was one of the vulnerabilities addressed by the February security updates released by Microsoft.

Internet Explorer supports certain event methods for interacting with elements. When called, Internet Explorer may create a CFunctionPointer object containing a reference to the element for which an event method was called. If the same event method is later called by a cloned element, the same CFunctionPointer object is used, which may lead to a use-after-free error if the original element has been deleted. This can be exploited to call into already freed memory and allows executing arbitrary code.

The vulnerability was not that straight-forward to find and analyse, but within a week we released a thorough, detailed analysis. Shortly after, we started seeing exploits for this vulnerability becoming publicly available. Fortunately, we managed to provide our customers with the detailed analysis a couple of days before and thus ensured that their signatures could already detect these exploits.

That's it for this month. I will, however, be issuing another blog soon(ish) where I rant a bit about the Secunia Research team and the efforts we put into discovering and reporting new vulnerabilities in popular software. You can also keep track of our latest exploits here.

Also, should anyone reading this feel that they have the hardcore skills required to be a part of the Secunia Advisories and/or Secunia BA team (and have a penchant for the cool Scandinavian climate), then don't hesitate to read more about our open positions here and send your application to techjob [at]

Stay Secure,

Carsten Eiram
Chief Security Specialist

P.S. Since it must almost be considered tradition by now, I've naturally uploaded a new binary analysis to our sample page.