Attack for Flash 0day goes live in popular exploit kit

23 Jan 2015 | Author: | No comments yet »

Adobe Flash hit by new zero-day flaw — needs patching.

The CVE-2015-0311 vulnerability is classified with the maximum ‘critical’ severity rating, and affects Flash Player 16.0.0.287 and earlier versions on Windows and Mac, version 13.0.0.262 and earlier releases, and 11.2.202.438 and earlier on Linux. Adobe has confirmed it is investigating a report that a previously-unknown and unpatched vulnerability, better known as a zero day, in its Flash software is being used by criminal hackers using an exploit kit known as Angler.TrendLabs has warned of a new problem affecting Adobe’s Flash product. “This is a serious situation that affects nearly everyone using Microsoft Windows,” the security company said.Users of some browsers may want to put off visiting sites that use Adobe’s Flash software – Adobe has patched a flaw in Flash, but a new one has been discovered.

Adobe has been hit by two zero-day flaws in the space of 24 hours, raising questions over the safety of its Flash Player platform which is being heavily targeted by cyber-criminals. The flaw was first reported yesterday by Cisco security researchers, who discovered an up-to-date version of the Angler exploit kit containing a successful exploit targeting the bug. UPDATE: Adobe has also now confirmed reports of a second zero-day affecting Flash, exploiting users of Internet Explorer and Firefox on Windows 8 and below, whilst patching the first bug. According to the Malware Don’t Need Coffee blog, the zero day affects the latest version of Flash on various Windows operating systems, including XP and 7. Malware researcher Kafeine discovered the attack on Flash Player yesterday in an instance of Angler that contains exploits for three Flash flaws – two old ones that Adobe has fixes for, and one new flaw that was not patched in last week’s security update, which brought Flash for Mac and Windows up to version 16.0.0.257.

In a 22 January advisory, the company said this bug “could be used to circumvent memory randomisation mitigations on the Windows platform”, and that it was being “used in attacks against older versions of Flash Player”. In a separate advisory, it has promised to patch this problem by 30 January at the latest – giving black hats a few more days to exploit the weakness. News of the flaw comes soon after an unscheduled patch released by Adobe on 22 January for a recently discovered vulnerability being exploited by cyber criminals. µ Why do many boards leave IT security primarily to security technicians, and why can’t techies convince their boards to spend scarce cash on protecting stakeholder information?

Adobe expects to have a patch available for CVE-2015-0311 during the week of January 26.” And he pointed out: “Flash has been plagued with critical vulnerabilities in the past few months and has surpassed the no-longer-popular Java as the most exploited plugin.” Commenting on the bugs, Logical Step CISO Scott MacKenzie agreed that Adobe is being targeted, but said the company should also get credit for its fast reaction. He told SCMagazineUK.com via email: “Adobe Flash and Reader are installed on the majority of users’ desktops worldwide, as a result these products are closely scrutinised by attackers and security researchers as potential ingress points. “Adobe is very much where Microsoft was in the late 1990s and early 2000s due to their near ubiquitous desktop install base.

What makes this situation serious is that researchers, including our TrendLabs researchers, have discovered that attackers found this vulnerability first and have been attacking it before a patch is available: this kind of situation is called a “zero-day” situation, because defenders have “zero days” to protect against attacks. Jerome Segura, senior security researcher at Malwarebytes, told Forbes Angler “is probably the most prevalent and effective exploit kit”, due to its frequent updates. “Its author(s) have always kept up the pace with the discovery of new vulnerabilities, which they were always able to turn into exploits with a quick turnaround,” Segura said over email. “Angler was also the first to introduce a file-less exploit, which successfully bypassed most of the traditional security defences at the time. This means even if you keep your system up-to-date, you’re still at risk of attack until Adobe releases a patch,” said Dhanya Thakkar, Managing Director, India & SEA, Trend Micro. Back in the day, Blackhole was the ‘king of exploit kits’, but now Angler is certainly aspiring to this title as well.” With an added Adobe zero day, the Angler operators just showed how serious they are about becoming the de facto kit for online crime. The malware being distributed with the aid of the new exploit is called ‘Bedep’, which, according to security firm Malwarebytes, is “a distribution botnet that can load multiple payloads on the infected host”.

In this case, it’s installing malware that tricks online ad networks such as DoubleClick into counting fraudulent ad clicks and impressions. “Upon infection, explorer.exe (not to be confused with iexplore.exe) is injected and performs the ad fraud calls,” Jérôme Segura, a security research with Malwarebytes, said. He gained a bachelors degree in economics and arts (cultural studies) at Sydney’s Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, s…

Here you can write a commentary on the recording "Attack for Flash 0day goes live in popular exploit kit".

* Required fields
All the reviews are moderated.
Twitter-news
Our partners
Follow us
Contact us
Our contacts

dima911@gmail.com

ICQ: 423360519

About this site