Analysis of Latest Adobe Flash Vulnerability CVE-2014-0497

February 9, 2014

Dell Sonicwall Threats Research Team has analyzed an Integer Underflow Vulnerability (CVE-2014-0497) in Adobe Flash.
This is the latest vulnerability that affects Flash Player versions before and

Flash Specification supports the following formats, ZWS(LZMA compression), CWS(Zlib compression), FWS(uncompressed).

Flash also supports ActionScript ByteCode embedded in a Flash file which is run by ActionScript Virtual Machine.
This vulnerability can be exploited by creating malformed ActionScript shown by the following disassembly.

We observed following crashes while debugging both IE and Flash Player.

A remote attacker can exploit this vulnerability by creating a malformed SWF file and cause arbitrary code execution.

We have implemented following signatures to detect the attack.

  • IPS:9996 Thirdbase C&C Traffic
  • GAV:16454 Malformed.swf.MP.91
  • GAV: 36030 Malformed.swf.MP.92
  • GAV: 36037 Malformed.swf.MP.93