Matasano Chargen » This New Vulnerability: Dowd’s Inhuman Flash Exploit
Holy fuck.
But, just to rub it in, or because this stuff just comes natural to you when you are manufactured by a malicious cluster of supercomputers inside SkyNet instead of nurtured by loving human parents, Dowd gives himself additional constraints. To wit: his exploit must (because he’s messing with us) corrupt the Flash runtime, rewrite it to execute his trojan, and leave it running steady as if nothing had happened. Meaning:
- His modification to the verifier can’t break existing instructions.
- His bytecode has to swap values into the stack instead of clobbering them directly.
- Portions of his shellcode have to run as both Flash bytecode and an X86 first-stage shellcode boot.
Basically, either Adobe updates a lot of clients any time soon now, or within three to six months it’s technically possible that we will all be facing a really common sort of instant botnet that will be phishing people to just click somewhere. I guess it’s such a high profile bug that no one would remain unpatched for very long.
It’s a wonderful game over kind of bug. You click on any untrusted website, it compromises your machine using spare cycles on your dual core and, without noticing a thing, you’ve now become an active promoter of penny stocks on the NYSE.
I don’t completely understand Thomas Ptacek’s summary of what’s going on, but one thing is increasingly clear: That Dowd guy who figured it all out is unreal. That’s the level of expertise you can only hope to achieve one day. The exploit is noteworthy for it’s sheer intensity of awesome.
I tend to think I’m a pretty good Comp Sci undergrad, that I’ve got a lot of this stuff figured out, but the folks at Matasano tend to go to a level of depth that way outclasses me and my perception of the average level of expertise required for the ‘industry’.
