The recent "use-after-free" Internet Explorer zero-day attack seems to highlight the importance of Flash heap spray...
detection. Why are attackers using this technique and how are researchers working to detect heap spraying?
Attackers used a Flash heap spray exploit in the recent "use-after-free" Internet Explorer zero-day attack. The attack used this technique to facilitate the execution of malicious code on a system as part of exploiting a vulnerable piece of software installed on that system. With the Flash heap spray, attackers can place malicious data all throughout the memory heap with the expectation that when the vulnerable application is exploited, the exploit will access one of the places in the heap that can execute the malicious code from the heap to take the next step in the attack.
A Flash heap spray is a heap spray attack that uses Flash ActionScript to place code into the operating system memory heap to be used later in an exploit. The vulnerability in Internet Explorer was exploited by the malicious Flash file that called the vulnerable function in Internet Explorer, which then ran the malicious code placed into memory by the heap spray.
Researchers are working to uncover ways to detect heap spraying, but given the multi-stage attack method and multiple different files involved in the attack, it is difficult to detect.
The Sourcefire Vulnerability Research Team (VRT) wrote a blog post outlining the steps it took to detect Flash heap spray attacks. The steps leading up to calling the malicious function that exploited the zero-day Internet Explorer vulnerability would be suspicious, but the most important part of the exploit might not be suspicious if someone were to just analyze the HTML file opened in the attack. The VRT released detection methods for their specific tools, and other vendors will likely leverage the VRT research to identify how to incorporate protections in their tools.
In other research, Salman Javaid wrote a dissertation detailing heap-based malware detection and how heap-based malware can be detected using virtual machines.
Ask the Expert!
Perplexed about enterprise security? Send Nick Lewis your questions today! (All questions are anonymous.)
Learn more about mitigating heap spray attacks.
Get in on the discussion about heap spray attack techniques.
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading