The Latest in IT Security

Adobe Zero-day Used in LadyBoyle Attack

09
Feb
2013

Yesterday, Adobe released an out of cycle patch that fixed two zero-day vulnerabilities (CVE-2013-0633, CVE-2013-0634) for Adobe Flash Player 11.5.502.146 and earlier versions for both Windows and Macintosh. The patch was released because the zero-days were being actively exploited for attacks in the wild. Symantec recommends applying the patch immediately. 

Reports of the attack seen in the wild using CVE-2013-0633 have been dubbed “LadyBoyle” following FireEye‘s initial analysis of the attack. In the analysis they identified a class file, with the name LadyBoyle, that contained the exploit code. Symantec can confirm that these exploits were actively being distributed in targeted attacks in the wild. Figure 1 shows an example of a targeted attack email with a Word document attachment that contains CVE-2013-0633. Symantec Mail Security for Microsoft Exchange blocked the attack on February 4.
 

Figure 1. Targeted email containing exploit
 

If the targeted attack was successful and a victim opened the attached document, the flash object contained within the document would execute the flash zero-day (CVE-2013-0633), as seen in figure 2.
 

Figure 2.  Targeted attack using CVE-2013-0633
 

As seen in Figure 2, Symantec has detections in place for the stages of this attack as Trojan.Mdropper, Trojan.Swifi, and Backdoor.Boda. Once a system has been compromised with Backdoor.Boda it will contact a command-and-control (C&C) server hosted at iee.boeing.job.com, which is currently offline. The following intrusion prevention signature (IPS) will be released later today for CVE-2013-0634, which is known to be actively delivered through malicious Flash (SWF) content hosted on websites:

26455 – Web Attack: Adobe SWF RCE CVE-2013-0634 2

We are currently investigating further protections for this zero-day and will provide an update to this blog when possible. As always, Symantec advises users to ensure that operating systems and software are kept up to date and to avoid clicking on suspicious links and opening suspicious email attachments.

Related posts:
  1. New Adobe PDF Zero-day Unleashes Trojan.Swaylib
  2. Zero-Day Vulnerabilities Found in Adobe Flash Player
  3. Chemical Attack in Syria Used as Enticement in Targeted Attack
  4. Adobe Flash security update for Windows, Mac, Android, Linux and Solaris users
  5. Operation GreedyWonk: Flash Zero-Day Used in Attack on Visitors of Foreign Policy Sites

Tags:  
Written by Symantec Security Response Blog
0 Comments

Leave a reply


Categories

FRIDAY, APRIL 26, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments