alphaspirit - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How can flash heap spray attacks be detected?

Enterprise threats expert Nick Lewis explains how the new Flash heap spray attack technique works and discusses methods researchers are using to detect and mitigate the risk.

The recent "use-after-free" Internet Explorer zero-day attack seems to highlight the importance of Flash heap spray...

detection. Why are attackers using this technique and how are researchers working to detect heap spraying?

Attackers used a Flash heap spray exploit in the recent "use-after-free" Internet Explorer zero-day attack. The attack used this technique to facilitate the execution of malicious code on a system as part of exploiting a vulnerable piece of software installed on that system. With the Flash heap spray, attackers can place malicious data all throughout the memory heap with the expectation that when the vulnerable application is exploited, the exploit will access one of the places in the heap that can execute the malicious code from the heap to take the next step in the attack.   

A Flash heap spray is a heap spray attack that uses Flash ActionScript to place code into the operating system memory heap to be used later in an exploit. The vulnerability in Internet Explorer was exploited by the malicious Flash file that called the vulnerable function in Internet Explorer, which then ran the malicious code placed into memory by the heap spray.

Researchers are working to uncover ways to detect heap spraying, but given the multi-stage attack method and multiple different files involved in the attack, it is difficult to detect.

The Sourcefire Vulnerability Research Team (VRT) wrote a blog post outlining the steps it took to detect Flash heap spray attacks. The steps leading up to calling the malicious function that exploited the zero-day Internet Explorer vulnerability would be suspicious, but the most important part of the exploit might not be suspicious if someone were to just analyze the HTML file opened in the attack. The VRT released detection methods for their specific tools, and other vendors will likely leverage the VRT research to identify how to incorporate protections in their tools.

In other research, Salman Javaid wrote a dissertation detailing heap-based malware detection and how heap-based malware can be detected using virtual machines.

Ask the Expert!
Perplexed about enterprise security? Send Nick Lewis your questions today! (All questions are anonymous.)

Next Steps

Learn more about mitigating heap spray attacks.

Get in on the discussion about heap spray attack techniques.

This was last published in November 2014

Dig Deeper on Emerging cyberattacks and threats