Qualys Blog

www.qualys.com
wkandek

New 0-day vulnerability in Adobe Flash – Update 5

Update: Adobe has published a new version of the Flash player (16.0.0.296) that addresses CVE-2015-0311). At the moment only users of the automated Adobe Update service are getting the update. You can go into your control panel and perform a manual update to see the version and trigger a manual update if necessary:

new_flash_bup

So that means that at the moment my Safari browser is the tool of choice to use. Google Chrome and Internet Explorer use their own update mechanism, which is normally an advantage as they tend to be fast and convenient have not gotten their automated updates yet.You can check on the version of your Flash plugin here at the official Adobe page. A downloadable standalone update (APSB15-03) suitable for enterprise patch management systems is expected next week. If you decide not to update manually take appropriate care when using Flash

Update: Adobe published advisory APSA15-01 acknowledging that a separate 0-day vulnerability exists (CVE-2015-0311) and indicates that it will be addressed next week with another update. @Kafeine updated his blog: The exploit now works against Windows 8.1 as well, so only Chrome continues to be excluded from the attack. EMET detects the attack  and shuts down Internet Explorer. Please note that this represents only a quick test on limited configurations on his part. TrendMicro has some telemetry in their blog post that looks at a different Angler site than @Kafeine’s post. Their analysis also points out that this exploit does use some of the tell-tale windows API calls that are often monitored by AV solutions such as CreateProcess and WriteFIle – instead it simply runs in memory, leaving persistence to a subsequently loaded malware.

Update: Adobe released APSB15-02 to address the vulnerability CVE-2015-0310. Adobe credits Yang Dingning, Timo Hirvonen and @Kafeine. Apply as quick as possible. Microsoft has updated advisory KB2755801 to show that Internet Explorer uses will get the new version automatically. In addition there seems to be some evidence that another exploit for a yet undisclosed vulnerability in Flash (even the latest version 16.0.0.287) is out in the wild. ZScaler’s research team blogs that this 0-day is also in use within the Angler Exploit Kit. Stay tuned for further updates.

Original: Security researcher Kafeine (https://twitter.com/kafeine) has apparently found a new exploit against the latest Adobe Flash (APSB15-01). The exploit is part of the Angler Exploit Kit and could have quite widespread impact. In his testing the following systems were exploited successfully:

  • Windows XP, IE8, latest Flash 16.0.0.257
  • Windows 7, IE9, latest Flash 16.0.0.257
  • Windows 8, IE10, latest Flash 16.0.0.257

The exploit does not seem to work against Flash in Google Chrome or against Windows 8.1.

At the moment there is not much you can do about the threat, except reach out to your anti-malware provider to see if they block the exploit. Kafine mentions Malwarebytes Anti Exploit as preventing the exploit from running.  Stay tuned for more updates.

Leave a Reply