On October 12, McAfee Labs learned of proof-of-concept code exploiting a newly patched Flash Player vulnerability. Adobe had patched this vulnerability in its latest security update on October 8. Our research team rapidly responded to this threat with an in-depth analysis of the root cause and the degree of exploitability.
This specific vulnerability occurred due to a coding fault in Adobe’s ActionScript virtual machine (a.k.a. The Tamarin Project). Specifically, it lies in the way that AVM2 verifies the opcode OP_inclocal or OP_declocal. A checking logic step was mistakenly disabled by a macro. As a result, a U30 parameter was used directly without a bounds check, which leads to various code execution situations.
We assess the threat, CVE-2012-5271, by the following:
We strongly suggest users update their Flash Players as soon as possible. For McAfee customers, a User Defined Signature was released late on Friday, Oct 12 to deliver our protections. The signature name is “UDS-HTTP: Adobe Flash Player ActionScript Opcode OP_inclocal and OP_declocal Verifying Code Execution Vulnerability.”
McAfee Labs will continue to monitor the threat of this vulnerability.
I’d like thank my colleagues Yichong Lin, Bing Sun, XiaoBo Chen, and Chong Xu for their collaboration on this analysis.