The recent "use-after-free" Internet Explorer zero-day attack seems to highlight the importance of Flash heap spray...
detection. Why are attackers using this technique and how are researchers working to detect heap spraying?
Attackers used a Flash heap spray exploit in the recent "use-after-free" Internet Explorer zero-day attack. The attack used this technique to facilitate the execution of malicious code on a system as part of exploiting a vulnerable piece of software installed on that system. With the Flash heap spray, attackers can place malicious data all throughout the memory heap with the expectation that when the vulnerable application is exploited, the exploit will access one of the places in the heap that can execute the malicious code from the heap to take the next step in the attack.
A Flash heap spray is a heap spray attack that uses Flash ActionScript to place code into the operating system memory heap to be used later in an exploit. The vulnerability in Internet Explorer was exploited by the malicious Flash file that called the vulnerable function in Internet Explorer, which then ran the malicious code placed into memory by the heap spray.
Researchers are working to uncover ways to detect heap spraying, but given the multi-stage attack method and multiple different files involved in the attack, it is difficult to detect.
The Sourcefire Vulnerability Research Team (VRT) wrote a blog post outlining the steps it took to detect Flash heap spray attacks. The steps leading up to calling the malicious function that exploited the zero-day Internet Explorer vulnerability would be suspicious, but the most important part of the exploit might not be suspicious if someone were to just analyze the HTML file opened in the attack. The VRT released detection methods for their specific tools, and other vendors will likely leverage the VRT research to identify how to incorporate protections in their tools.
In other research, Salman Javaid wrote a dissertation detailing heap-based malware detection and how heap-based malware can be detected using virtual machines.
Ask the Expert!
Perplexed about enterprise security? Send Nick Lewis your questions today! (All questions are anonymous.)
Learn more about mitigating heap spray attacks.
Get in on the discussion about heap spray attack techniques.
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Nick Lewis
Zscaler recently discovered a malvertising campaign that spreads the Terror exploit kit through malicious ads. Discover more about the threat with ... Continue Reading
Cybersecurity vendor Wordfence reported a rise in scans for SSH private keys that are often accidentally exposed to the public. Learn how to stay ... Continue Reading
The SANS Internet Storm Center discovered a DDE attack spreading Locky ransomware through Microsoft Word. Learn what a DDE attack is and how to ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.