The recent "use-after-free" Internet Explorer zero-day attack seems to highlight the importance of Flash heap spray...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
detection. Why are attackers using this technique and how are researchers working to detect heap spraying?
Attackers used a Flash heap spray exploit in the recent "use-after-free" Internet Explorer zero-day attack. The attack used this technique to facilitate the execution of malicious code on a system as part of exploiting a vulnerable piece of software installed on that system. With the Flash heap spray, attackers can place malicious data all throughout the memory heap with the expectation that when the vulnerable application is exploited, the exploit will access one of the places in the heap that can execute the malicious code from the heap to take the next step in the attack.
A Flash heap spray is a heap spray attack that uses Flash ActionScript to place code into the operating system memory heap to be used later in an exploit. The vulnerability in Internet Explorer was exploited by the malicious Flash file that called the vulnerable function in Internet Explorer, which then ran the malicious code placed into memory by the heap spray.
Researchers are working to uncover ways to detect heap spraying, but given the multi-stage attack method and multiple different files involved in the attack, it is difficult to detect.
The Sourcefire Vulnerability Research Team (VRT) wrote a blog post outlining the steps it took to detect Flash heap spray attacks. The steps leading up to calling the malicious function that exploited the zero-day Internet Explorer vulnerability would be suspicious, but the most important part of the exploit might not be suspicious if someone were to just analyze the HTML file opened in the attack. The VRT released detection methods for their specific tools, and other vendors will likely leverage the VRT research to identify how to incorporate protections in their tools.
In other research, Salman Javaid wrote a dissertation detailing heap-based malware detection and how heap-based malware can be detected using virtual machines.
Ask the Expert!
Perplexed about enterprise security? Send Nick Lewis your questions today! (All questions are anonymous.)
Learn more about mitigating heap spray attacks.
Get in on the discussion about heap spray attack techniques.
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Nick Lewis
The OurMine hacking group recently used DNS poisoning to attack WikiLeaks and take over its web address. Learn how this attack was performed from ...continue reading
Typosquatting was used by threat actors to spread malware in the NPM registry. Learn from expert Nick Lewis how this method was used and what it ...continue reading
Threat actors are using phishing email campaigns to fool users with tech support scams and fake Blue Screens of Death. Learn how these campaigns work...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.