Part 1 of this blog described and analyzed the CVE-2012-1535 vulnerability in Adobe Flash Player. Here, we describe the fixes and mitigations that can be employed for this and similar exploits.
Fixes and mitigations
To avoid being vulnerable, you need to update Adobe Flash Player to the latest release from here. Recent versions of Adobe Flash Player offer a Background Updater feature, which you should enable. To protect users from immediate, zero-day vulnerabilities, Adobe provides security updates automatically, in the background, to users who have enabled the background update feature. For more information on Background Updater and to determine whether it is enabled on your machine, you can read this article.
Update is the best option for protecting yourself from this threat, but there are also some good mitigation methods available. The malicious SWF file is delivered through Microsoft Word and the SWF content is rendered through Adobe Flash Player ActiveX control, so you can set security settings for Microsoft Office to mitigate this threat. What follows is a list of mitigation techniques for mitigating threats delivered through Microsoft Office files.
The mitigation techniques we are talking about here are recommended even with Adobe Flash Player updates because of two main reasons.
First, there are other threats that can be delivered through Microsoft Office. As Microsoft Office supports ActiveX control embedding, this is sometimes used to deliver malicious content. These mitigation techniques are effective on some of those threats.
The second reason for using these mitigation techniques is that they could be very effective in preventing possible 0-days that rely on exploiting memory corruption issues. But, you should not solely rely on these mitigation methods to prevent malware infections. It can’t replace maintaining your software up to date.
There are 3 options we are showing here. Protected View is only available with Office 2010, but ActiveX Settings can be used on both Office 2007 and Office 2010. EMET is more of a general solution on Windows platform. You can set mitigation configuration for Office binaries using this tool.
|Mitigation Methods||Office 2007||Office 2010|
Table 1: Mitigation methods for Office 2007, 2010
Using Protected View
By default, if the documents are coming from the Internet, the file will be opened in Protected View in Microsoft Office 2010. With this mode, ActiveX will be disabled and also some settings like DEP will be enabled which will be effective in mitigating some memory corruption vulnerabilities. As Adobe Flash Player contents inside Microsoft Word will be rendered through Adobe Flash Player ActiveX control, disabling ActiveX will mitigate SWF malwares delivered through Microsoft Office files. For detailed information on Protected View, you can read this article.
Opening documents in Protected View manually
Protected View doesn’t kick in when the document is opened from local folders. In that case you can manually open those documents with Protected View by using the "Open" dialog in Microsoft Word. This is a good practice when you’re opening documents passed from an untrusted source.
Figure 4: Opening a potentially malicious document using Protected View
Setting Protected View as the default mode
You can also set Protected View as the default setting for opening some Office document types. You can use File -> Options -> Trust Center -> Trust Center Settings to open up a Trust Center dialog box as you can see in Figure 5. You need to choose "File Block Settings" to change the settings.
Figure 5: Setting Protected View as the default mode according to file types
Strict ActiveX settings
For Office 2007 and Office 2010, you can also disable ActiveX controls from ActiveX Settings in the "Trust Center" setting. This will disable the Adobe Flash Player ActiveX control loading from Microsoft Office. Also, this will be very effective in mitigating any exploits dependent on ActiveX controls. You can still use prompt options, but in that case there are some chances that users will allow the rendering of ActiveX contents by mistake.
Figure 6: Disable ActiveX Controls
One more good option you can use is using EMET. EMET is a tool that configures mitigation methods for specific binaries on the system. To enable all mitigation methods for a Microsoft Word binary, you can add a rule that looks like Figure 7.
Figure 7: Enabling mitigations for "WINWORD.EXE" binary
For this specific malware, we found EMET was very effective in mitigating exploit attempts. The malware could have been blocked by using 3 different mitigation methods (DEP, EAF, HeapSpray). You can extend these settings to other application binaries depending on your needs.
Recently, Adobe Flash Player vulnerabilities have been used for targeted attacks. In many cases, these malicious SWF files are delivered through Microsoft Office files. In this case, the vulnerability was a memory corruption issue in font format parsing code and a variety of mitigation options could have prevented the exploit code from succeeding. The best option is making your software up to date. But, using mitigation techniques, you have the benefit of mitigating any possible 0-days in the future.
Thanks to Elia Florio, MSRC Engineering, for providing detailed information on mitigation technology.
Jeong Wook (Matt) Oh