Adobe Type Confusion Vulnerability CVE-2016-1019 Exploited in the Wild

April 8, 2016

A critical vulnerability is reported in Adobe's Flash Player. The CVE identifier for this vulnerability is CVE-2016-1019. This vulnerability applies to Windows, Mac, Linux, as well as Chrome OS. An attacker who successfully exploits this vulnerability can execute remote code and potentially take over the system. Versions and before are vulnerable.

Exploits of this vulnerability has been seen in the wild. Some examples below:

  • 9d7561f5613114431bf906ede4bc1c40208a9e35
  • 7021457e03445f8f10e38cf5aed4a60a757ea326
  • 8670993b2e63e32260685a80b78d15adf5742a6a
  • 2173970148947e7954ac028fc2fd855445897be1

Although it is exploited in the wild, a mitigation that was introduced in the Flash Player prevents the exploitation of this vulnerability.

The exploits are obfuscated as usual. However, it is clear to see the attempts to exploit this vulnerability:

As you can see above, the code attempts to load bytes from 'var_51' which essentially points to one of the bytes arrays in 'binaryData' section within the SWF file. This is another SWF file embedded inside:

Let's load this embedded SWF:

This is a heavily obfuscated file. The nature of the vulnerability requires two SWFs to work together. The latter SWF is merely the second part which triggers the vulnerability.

Dell Sonicwall team as created following signatures that protect our customers from these expoits:

  • CVE-2016-1019.A_4(Exploit)
  • CVE-2016-1019.A_3
  • CVE-2016-1019.A_2
  • CVE-2016-1019.A