The recent "use-after-free" Internet Explorer zero-day attack seems to highlight the importance of Flash heap spray...
detection. Why are attackers using this technique and how are researchers working to detect heap spraying?
Attackers used a Flash heap spray exploit in the recent "use-after-free" Internet Explorer zero-day attack. The attack used this technique to facilitate the execution of malicious code on a system as part of exploiting a vulnerable piece of software installed on that system. With the Flash heap spray, attackers can place malicious data all throughout the memory heap with the expectation that when the vulnerable application is exploited, the exploit will access one of the places in the heap that can execute the malicious code from the heap to take the next step in the attack.
A Flash heap spray is a heap spray attack that uses Flash ActionScript to place code into the operating system memory heap to be used later in an exploit. The vulnerability in Internet Explorer was exploited by the malicious Flash file that called the vulnerable function in Internet Explorer, which then ran the malicious code placed into memory by the heap spray.
Researchers are working to uncover ways to detect heap spraying, but given the multi-stage attack method and multiple different files involved in the attack, it is difficult to detect.
The Sourcefire Vulnerability Research Team (VRT) wrote a blog post outlining the steps it took to detect Flash heap spray attacks. The steps leading up to calling the malicious function that exploited the zero-day Internet Explorer vulnerability would be suspicious, but the most important part of the exploit might not be suspicious if someone were to just analyze the HTML file opened in the attack. The VRT released detection methods for their specific tools, and other vendors will likely leverage the VRT research to identify how to incorporate protections in their tools.
In other research, Salman Javaid wrote a dissertation detailing heap-based malware detection and how heap-based malware can be detected using virtual machines.
Ask the Expert!
Perplexed about enterprise security? Send Nick Lewis your questions today! (All questions are anonymous.)
Learn more about mitigating heap spray attacks.
Get in on the discussion about heap spray attack techniques.
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Nick Lewis
As the Magento Community Edition suffers a new zero-day vulnerability, expert Nick Lewis explains how it's being exploited and how to mitigate the ...continue reading
Cross-platform malware enables attackers to leverage their attacks using infected Microsoft Word docs. Expert Nick Lewis explains how the attacks ...continue reading
How was the ATMitch malware able to loot cash machines, then delete itself? Expert Nick Lewis explains how the fileless malware works and how it ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.