Monthly Binary Analysis Update (July)

By Carsten Eiram

While July may have been a quiet month in terms of the number of BAs released (19 in total), it certainly offered quite a few 0-day vulnerabilities (three) for us to analyse. I will be focusing on these for this month's blog posting.

Microsoft DirectShow Streaming Video ActiveX Control Buffer Overflow (SA35683 / CVE-2008-0015)
This vulnerability was originally discussed on a couple of Chinese forums and by KingSoft before being picked up by the rest of the world a couple of days later.

As Microsoft reported in their advisory, the ActiveX control is not supposed to be instantiated in Internet Explorer so it was fortunately very easy for users and system administrators to prevent exploitation by setting the kill-bit for the CLSIDs listed in the Microsoft advisory.

I therefore couldn't help shake my head a bit for two reasons when I started seeing some sources refer to a continuously growing list of malicious sites and recommend companies to block access to these sites.

First of all, why should system administrators waste time continuously updating a blacklist in an attempt to prevent exploitation when a simple, effective solution to the problem exists (set the kill-bit)? Secondly, as most people in the security industry fortunately knows, blacklisting is a terrible idea: It's inefficient, random, and in no way proactive.

Before you've even added one site to your blacklist, a couple of new sites already exist and even if you keep it completely updated, it will only include a minor portion of the malicious sites actually out there. It would be a perfect follow-up to "The Neverending Story", though your systems won't eventually be destroyed by the Nothing; it will be something alright.

(I haven't discussed the core problem of this vulnerability and how it's related to the out-of-band patches released by Microsoft for ATL as there is already great information available from Microsoft and other sources).

Microsoft Office Web Components Code Execution Vulnerability (SA35800 / CVE-2009-1136)
This is the second 0-day vulnerability reported in July and also affects an ActiveX control: This time the SpreadSheet control bundled with Microsoft Office Web Components. The problem is that a method provided by the control does not properly validate input passed to it. This can be exploited to trigger a use-after-free or double-free allowing execution of arbitrary code on a user's system when e.g. viewing a malicious web page.

Again, until fixes are available the simple and most effective solution is to kill-bit the ActiveX control as suggested by Microsoft. Similarly, it's straight-forward for IDS/IPS vendors to create signatures by looking for web pages trying to instantiate the vulnerable control. If a more thorough detection signature is required to reduce false positives, then BA customers can obtain this from our Binary Analysis of this vulnerability.

Adobe Products SWF AVM2 Bytecode Parsing Vulnerability (SA35949 + SA35948 / CVE-2009-1862)
The final 0-day vulnerability reported in July does not affected a Microsoft product, but instead Adobe Flash and Adobe Reader/Acrobat. You would not immediately expect Adobe Reader/Acrobat and Flash to be affected by the same vulnerability as they're completely different products. However, Adobe has decided to include Flash in Adobe Reader/Acrobat to parse Flash content in PDF documents.

This not only provides hackers with a nice, new interface to discover vulnerabilities in for Adobe Reader/Acrobat, but at the same time also makes exploitation more reliable as Flash provides ActionScript. JavaScript support in Adobe Reader/Acrobat already makes it possible to use heap-spraying techniques and similar to make exploits reliable, but users are often recommended to disable JavaScript support to make exploitation of vulnerabilities harder. Now, ActionScript comes to the rescue (for the hacker that is) as it can be used in a similar manner.

Based on this, I find that this product has suddenly become an (even more) interesting target. Not only does it have a lot of complex functionality to discover vulnerabilities in, it also provides nice features to make reliable exploitation easy to achieve.

Another interesting tidbit is that the vulnerability was actually not a true 0-day. It was apparently reported to Adobe as a crash bug with details being publicly available in their bug report until exploits were found in the wild and paired to this bug. Suddenly, it turned out to be a code execution vulnerability, resulting from insufficient validation of AVM2 (ActionScript Virtual Machine 2) bytecode.

It's interesting times we live in and even though we see more and more good efforts by software vendors to enhance security in various ways to protect their users' systems, it seems like we'll still see plenty of vulnerabilities being discovered and exploited in the future.

That wraps it up for this month.

Stay Secure,

Carsten Eiram
Chief Security Specialist