Adobe fixes just one of two actively exploited zero-day vulnerabilities in Flash …

23 Jan 2015 | Author: | No comments yet »

Adobe Flash hit by new zero-day flaw — needs patching.

The CVE-2015-0311 vulnerability is classified with the maximum ‘critical’ severity rating, and affects Flash Player and earlier versions on Windows and Mac, version and earlier releases, and and earlier on Linux. Adobe has confirmed it is investigating a report that a previously-unknown and unpatched vulnerability, better known as a zero day, in its Flash software is being used by criminal hackers using an exploit kit known as Angler.TrendLabs has warned of a new problem affecting Adobe’s Flash product. “This is a serious situation that affects nearly everyone using Microsoft Windows,” the security company said.Users of some browsers may want to put off visiting sites that use Adobe’s Flash software – Adobe has patched a flaw in Flash, but a new one has been discovered.Adobe today released an important security update for its Flash Player software that fixes a vulnerability which is already being exploited in active attacks.

The flaw was first reported yesterday by Cisco security researchers, who discovered an up-to-date version of the Angler exploit kit containing a successful exploit targeting the bug. UPDATE: Adobe has also now confirmed reports of a second zero-day affecting Flash, exploiting users of Internet Explorer and Firefox on Windows 8 and below, whilst patching the first bug. According to the Malware Don’t Need Coffee blog, the zero day affects the latest version of Flash on various Windows operating systems, including XP and 7. Malware researcher Kafeine discovered the attack on Flash Player yesterday in an instance of Angler that contains exploits for three Flash flaws – two old ones that Adobe has fixes for, and one new flaw that was not patched in last week’s security update, which brought Flash for Mac and Windows up to version Early indicators of a Flash zero-day vulnerability came this week in a blog post by Kafeine, a noted security researcher who keeps close tabs on new innovations in “exploit kits.” Often called exploit packs — exploit kits are automated software tools that help thieves booby-trap hacked sites to deploy malicious code.

News of the flaw comes soon after an unscheduled patch released by Adobe on 22 January for a recently discovered vulnerability being exploited by cyber criminals. µ Attackers may be targeting Windows and IE users now, but the vulnerability fixed by this update exists in versions of Flash that run on Mac and Linux as well. Why do many boards leave IT security primarily to security technicians, and why can’t techies convince their boards to spend scarce cash on protecting stakeholder information? While Flash users should definitely update as soon as possible, there are indications that this fix may not plug all of the holes in Flash for which attackers have developed exploits.

What makes this situation serious is that researchers, including our TrendLabs researchers, have discovered that attackers found this vulnerability first and have been attacking it before a patch is available: this kind of situation is called a “zero-day” situation, because defenders have “zero days” to protect against attacks. Jerome Segura, senior security researcher at Malwarebytes, told Forbes Angler “is probably the most prevalent and effective exploit kit”, due to its frequent updates. “Its author(s) have always kept up the pace with the discovery of new vulnerabilities, which they were always able to turn into exploits with a quick turnaround,” Segura said over email. “Angler was also the first to introduce a file-less exploit, which successfully bypassed most of the traditional security defences at the time.

This means even if you keep your system up-to-date, you’re still at risk of attack until Adobe releases a patch,” said Dhanya Thakkar, Managing Director, India & SEA, Trend Micro. Back in the day, Blackhole was the ‘king of exploit kits’, but now Angler is certainly aspiring to this title as well.” With an added Adobe zero day, the Angler operators just showed how serious they are about becoming the de facto kit for online crime. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

The malware being distributed with the aid of the new exploit is called ‘Bedep’, which, according to security firm Malwarebytes, is “a distribution botnet that can load multiple payloads on the infected host”. For now, it’s probably impractical for most users to remove Flash altogether, but there are in-between options to limit automatic rendering of Flash content in the browser. In this case, it’s installing malware that tricks online ad networks such as DoubleClick into counting fraudulent ad clicks and impressions. “Upon infection, explorer.exe (not to be confused with iexplore.exe) is injected and performs the ad fraud calls,” Jérôme Segura, a security research with Malwarebytes, said.

My favorite is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. The company said on an official blog: “Symantec regards this vulnerability as critical because Adobe Flash Player is widely used and the flaw allows an attacker to effectively compromise a host, which then allows for the unauthorized installation of malware.” Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking.

Windows users also should take full advantage of the Enhanced Mitigation Experience Toolkit (EMET), a free tool from Microsoft that can help Windows users beef up the security of third-party applications. He gained a bachelors degree in economics and arts (cultural studies) at Sydney’s Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, s…

Here you can write a commentary on the recording "Adobe fixes just one of two actively exploited zero-day vulnerabilities in Flash …".

* Required fields
All the reviews are moderated.
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site