Update: A bit less than a week that Adobe released a fix for a 0-day in Flash and now the attack has migrated into at least two commonly available exploit kits – Magnitude (as of June 27) and Angler (June 29). The security researcher @kafeinedocumented in his blog both findings. I hope you are patched already because the exploit is now mainstream.
Original: Adobe came out today with an out-of-band patch (APSB15-14) for their Flash Player, the fifth time that Flash has required an out-of-band fix for a 0-day. FireEye had notified them of a critical vulnerability (CVE-2015-3113) that they discovered in use in Asia. They believeit was developed by the group called APT3 and used in targeted attacks against a number of industries. The vulnerability lies in the video decoding part of Flash and the exploit shows some signs of sophistication by introducing new techniques in their use of ROP.
April’s Patch Tuesday continues the 2015 trend of high volume patches. This month we have a full set of 11 patches from Microsoft addressing 26 vulnerabilities.The vulnerabilities affect Windows and Office on both servers and workstations. In addition, Oracle is publishing their quarterly Critical Patch Update fixing 98 vulnerabilities in over 25 software categories, including Java, Oracle RDBMS and MySQL.
Add to that the fixes in Adobe, Mozilla and Google Chrome software that were initiated by the results of the PWN2OWN competition in Vancouver, and every defensive IT security professional will have their work doubled this month.
February Patch Tuesday 2015 comes after a quite turbulent month for information security professionals. Not so much Microsoft, but Adobe has been keeping us busy with multiple disclosed 0-day vulnerabilities their Flash software. All of the known issues have been very quickly addressed by Adobe (APSB15-02, 03 and 04), typically turning around a fix in less than a week. Still, it is worrisome to see the amount of problems that cyber criminals are able to find in software that we all have installed and use in our daily lives.
Update2: The patch rollout for CVE-2015-0313 has begun. First Adobe Flash autoupdaters, then later the downloadable package plus Chrome and IE.
Update: More evidence on the 0-day (CVE-2015-0313) in the latest Adobe Flash. Trend now believes that it is the Hanjuan Exploit Kit, not Angler that is actively using the 0-day. In addition their testing has shown that the exploit is unable to escape the Google Chrome Sandbox, so Flash running under Google Chrome is still safe. This is actually good news and similar to the last 0-day CVE-2015-0311. Cisco’s Talos group meanwhile reports on further variants of CVE-2015-0311 and their telemetry gives an idea of the spread of the attack that uses an ad network.
Original: After Adobe fixed two 0-days (APSB15-02 and APSB15-03) in January, February starts off with its own 0-day. Trend Micro reports and Adobe acknowledges the new 0-day CVE-2015-0313, which comes to us courtesy of the Angler Exploit Kit again. Not much is known at this time with the exception that Trend’s security tools are preventing the exploit from executing. No word so far on other tools such as the free EMET.
Maybe this is just the Angler tech team living up to their maintenance contracts to always have a 0-day around?
Update: Adobe has published a new version of the Flash player (22.214.171.1246) that addresses CVE-2015-0311). At the moment only users of the automated Adobe Update service are getting the update. You can go into your control panel and perform a manual update to see the version and trigger a manual update if necessary:
So that means that at the moment my Safari browser is the tool of choice to use. Google Chrome and Internet Explorer use their own update mechanism, which is normally an advantage as they tend to be fast and convenient have not gotten their automated updates yet.You can check on the version of your Flash plugin here at the official Adobe page. A downloadable standalone update (APSB15-03) suitable for enterprise patch management systems is expected next week. If you decide not to update manually take appropriate care when using Flash
Update: Adobe published advisory APSA15-01 acknowledging that a separate 0-day vulnerability exists (CVE-2015-0311) and indicates that it will be addressed next week with another update. @Kafeine updated his blog: The exploit now works against Windows 8.1 as well, so only Chrome continues to be excluded from the attack. EMET detects the attack and shuts down Internet Explorer. Please note that this represents only a quick test on limited configurations on his part. TrendMicro has some telemetry in their blog post that looks at a different Angler site than @Kafeine’s post. Their analysis also points out that this exploit does use some of the tell-tale windows API calls that are often monitored by AV solutions such as CreateProcess and WriteFIle – instead it simply runs in memory, leaving persistence to a subsequently loaded malware.
Update: Adobe released APSB15-02 to address the vulnerability CVE-2015-0310. Adobe credits Yang Dingning, Timo Hirvonen and @Kafeine. Apply as quick as possible. Microsoft has updated advisory KB2755801 to show that Internet Explorer uses will get the new version automatically. In addition there seems to be some evidence that another exploit for a yet undisclosed vulnerability in Flash (even the latest version 126.96.36.1997) is out in the wild. ZScaler’s research team blogs that this 0-day is also in use within the Angler Exploit Kit. Stay tuned for further updates.
Original: Security researcher Kafeine (https://twitter.com/kafeine) has apparently found a new exploit against the latest Adobe Flash (APSB15-01). The exploit is part of the Angler Exploit Kit and could have quite widespread impact. In his testing the following systems were exploited successfully:
Windows XP, IE8, latest Flash 188.8.131.527
Windows 7, IE9, latest Flash 184.108.40.2067
Windows 8, IE10, latest Flash 220.127.116.117
The exploit does not seem to work against Flash in Google Chrome or against Windows 8.1.
At the moment there is not much you can do about the threat, except reach out to your anti-malware provider to see if they block the exploit. Kafine mentions Malwarebytes Anti Exploit as preventing the exploit from running. Stay tuned for more updates.
For the first Patch Tuesday in 2015 Microsoft has posted eight bulletins, one critical and seven important, a quite normal start in terms of numbers, but limited in terms of software. For example, there is no update for Internet Explorer.
It is January 2015 and the week before the year’s first Patch Tuesday. Microsoft should have posted their first Advance Notification (ANS) kicking off the patch cycle. But a new year brings many changes and the Advanced Notification is affected by one of them. Microsoft will stop providing the ANS information to the general public and parties interested will have to ask for the it through their account manager. Hmmh, I personally have always thought that our customers were interested in the information contained in ANS, but we will see how that works out.
Microsoft informed in security advisory 3010060 that they are aware of limited attacks against a new vulnerability in OLE packager. The vulnerability CVE-2014-6352 exists on all supported versions of Windows, except Windows 2003. The attack allows for remote code execution. As a temporary solution Microsoft has prepared a Fix-it in KB3010060. There are also instructions on how to configure EMET to block the attack.
OLE Packager was patched just this month in MS14-060. There a vulnerability (CVE-2014-4114) was also under limited attack through PowerPoint, and Microsoft credited iSIGHT Partners for the find. The new CVE-2014-6352 has security researchers from Google and McAfee in its credits section. McAfee has a blog post that details how they detected the additional weaknesses in OLE packager.
October 2014 Patch Tuesday from Microsoft focuses mainly on desktop software like Windows, Office, Word and IE with the attack vector targeting end-users. Several of the vulnerabilities are in use by attackers in the wild and should receive an extra urgent treatment by both enterprises and end-users alike. iSight Partners are reporting their research on a malware campaign that has been active for 5 years. They have dubbed the campaign “Sandworm”, due to a number of Dune references in the Command and Control URLs. One of the iterations of the campaign during the summer of 2014 has used a 0-day vulnerability in Windows (CVE-2014-4114) triggered through a malicious Powerpoint file. Microsoft is addressing the flaw today in MS14-060.