NEW TOOL FOR DISCOVERING FLASH PLAYER 0-DAY ATTACKS IN THE WILD FROM VARIOUS CHANNELS presented at BlackHatEU 2015

by Peter Pi,

Summary : 2015 is the Year of Flash. Zero day attacks found in 2015 are almost always using flash player.
In 2013 and 2014, JAVA and IE were the most popular attack targets for PCs. Oracle introduced a pop-up window to escape from the attack spotlight. Microsoft introduced isolated heap and memory protector to avoid huge attacks from UAF bugs in the second half of 2014. Based on these findings in late 2014, I predicted that 2015 would be the Year of the Flash Attack. Armed with this knowledge, I worked to discover several flash 0-day attacks. The most important thing to discover with flash 0-day attacks is how to get effective samples in the wild, and the second important task is how to identify 0-days effectively from these samples which maybe very large data sets. In this session, I will detail the following points:
The various channels I used to get flash samples in the wild.
The process I used to identify 0-day samples from these big sets of data.
The tool I used to detect flash 0-day attack samples with extremely low false positive alerts.