Part 1 of this blog described and analyzed the CVE-2012-1535 vulnerability in Adobe Flash Player. Here, we describe the fixes and mitigations that can be employed for this and similar exploits.

Fixes and mitigations

To avoid being vulnerable, you need to update Adobe Flash Player to the latest release from here. Recent versions of Adobe Flash Player offer a Background Updater feature, which you should enable. To protect users from immediate, zero-day vulnerabilities, Adobe provides security updates automatically, in the background, to users who have enabled the background update feature. For more information on Background Updater and to determine whether it is enabled on your machine, you can read this article.

Update is the best option for protecting yourself from this threat, but there are also some good mitigation methods available. The malicious SWF file is delivered through Microsoft Word and the SWF content is rendered through Adobe Flash Player ActiveX control, so you can set security settings for Microsoft Office to mitigate this threat. What follows is a list of mitigation techniques for mitigating threats delivered through Microsoft Office files.

The mitigation techniques we are talking about here are recommended even with Adobe Flash Player updates because of two main reasons.

First, there are other threats that can be delivered through Microsoft Office. As Microsoft Office supports ActiveX control embedding, this is sometimes used to deliver malicious content. These mitigation techniques are effective on some of those threats.

The second reason for using these mitigation techniques is that they could be very effective in preventing possible 0-days that rely on exploiting memory corruption issues. But, you should not solely rely on these mitigation methods to prevent malware infections. It can’t replace maintaining your software up to date.

There are 3 options we are showing here. Protected View is only available with Office 2010, but ActiveX Settings can be used on both Office 2007 and Office 2010. EMET is more of a general solution on Windows platform. You can set mitigation configuration for Office binaries using this tool.

Mitigation Methods Office 2007 Office 2010
Protected View No Yes
ActiveX Settings Yes Yes
EMET Yes             Yes

Table 1: Mitigation methods for Office 2007, 2010

Using Protected View

By default, if the documents are coming from the Internet, the file will be opened in Protected View in Microsoft Office 2010. With this mode, ActiveX will be disabled and also some settings like DEP will be enabled which will be effective in mitigating some memory corruption vulnerabilities. As Adobe Flash Player contents inside Microsoft Word will be rendered through Adobe Flash Player ActiveX control, disabling ActiveX will mitigate SWF malwares delivered through Microsoft Office files. For detailed information on Protected View, you can read this article

Opening documents in Protected View manually 

Protected View doesn’t kick in when the document is opened from local folders. In that case you can manually open those documents with Protected View by using the "Open" dialog in Microsoft Word. This is a good practice when you’re opening documents passed from an untrusted source.

Figure 4: Opening a potentially malicious document using Protected View

Setting Protected View as the default mode

You can also set Protected View as the default setting for opening some Office document types. You can use File -> Options -> Trust Center -> Trust Center Settings  to open up a Trust Center dialog box as you can see in Figure 5. You need to choose "File Block Settings" to change the settings.

Figure 5: Setting Protected View as the default mode according to file types

Strict ActiveX settings

For Office 2007 and Office 2010, you can also disable ActiveX controls from ActiveX Settings in the "Trust Center" setting. This will disable the Adobe Flash Player ActiveX control loading from Microsoft Office. Also, this will be very effective in mitigating any exploits dependent on ActiveX controls. You can still use prompt options, but in that case there are some chances that users will allow the rendering of ActiveX contents by mistake.

Figure 6: Disable ActiveX Controls

Use EMET

One more good option you can use is using EMET. EMET is a tool that configures mitigation methods for specific binaries on the system. To enable all mitigation methods for a Microsoft Word binary, you can add a rule that looks like Figure 7.

Figure 7: Enabling mitigations for "WINWORD.EXE" binary

For this specific malware, we found EMET was very effective in mitigating exploit attempts. The malware could have been blocked by using 3 different mitigation methods (DEP, EAF, HeapSpray). You can extend these settings to other application binaries depending on your needs.

Conclusion

Recently, Adobe Flash Player vulnerabilities have been used for targeted attacks. In many cases, these malicious SWF files are delivered through Microsoft Office files. In this case, the vulnerability was a memory corruption issue in font format parsing code and a variety of mitigation options could have prevented the exploit code from succeeding. The best option is making your software up to date. But, using mitigation techniques, you have the benefit of mitigating any possible 0-days in the future.

 

Acknowledgement

Thanks to Elia Florio, MSRC Engineering, for providing detailed information on mitigation technology.

 

Jeong Wook (Matt) Oh
MMPC