Update: A bit less than a week that Adobe released a fix for a 0-day in Flash and now the attack has migrated into at least two commonly available exploit kits – Magnitude (as of June 27) and Angler (June 29). The security researcher @kafeinedocumented in his blog both findings. I hope you are patched already because the exploit is now mainstream.
Original: Adobe came out today with an out-of-band patch (APSB15-14) for their Flash Player, the fifth time that Flash has required an out-of-band fix for a 0-day. FireEye had notified them of a critical vulnerability (CVE-2015-3113) that they discovered in use in Asia. They believeit was developed by the group called APT3 and used in targeted attacks against a number of industries. The vulnerability lies in the video decoding part of Flash and the exploit shows some signs of sophistication by introducing new techniques in their use of ROP.
Update: Adobe has published a new version of the Flash player (22.214.171.1246) that addresses CVE-2015-0311). At the moment only users of the automated Adobe Update service are getting the update. You can go into your control panel and perform a manual update to see the version and trigger a manual update if necessary:
So that means that at the moment my Safari browser is the tool of choice to use. Google Chrome and Internet Explorer use their own update mechanism, which is normally an advantage as they tend to be fast and convenient have not gotten their automated updates yet.You can check on the version of your Flash plugin here at the official Adobe page. A downloadable standalone update (APSB15-03) suitable for enterprise patch management systems is expected next week. If you decide not to update manually take appropriate care when using Flash
Update: Adobe published advisory APSA15-01 acknowledging that a separate 0-day vulnerability exists (CVE-2015-0311) and indicates that it will be addressed next week with another update. @Kafeine updated his blog: The exploit now works against Windows 8.1 as well, so only Chrome continues to be excluded from the attack. EMET detects the attack and shuts down Internet Explorer. Please note that this represents only a quick test on limited configurations on his part. TrendMicro has some telemetry in their blog post that looks at a different Angler site than @Kafeine’s post. Their analysis also points out that this exploit does use some of the tell-tale windows API calls that are often monitored by AV solutions such as CreateProcess and WriteFIle – instead it simply runs in memory, leaving persistence to a subsequently loaded malware.
Update: Adobe released APSB15-02 to address the vulnerability CVE-2015-0310. Adobe credits Yang Dingning, Timo Hirvonen and @Kafeine. Apply as quick as possible. Microsoft has updated advisory KB2755801 to show that Internet Explorer uses will get the new version automatically. In addition there seems to be some evidence that another exploit for a yet undisclosed vulnerability in Flash (even the latest version 126.96.36.1997) is out in the wild. ZScaler’s research team blogs that this 0-day is also in use within the Angler Exploit Kit. Stay tuned for further updates.
Original: Security researcher Kafeine (https://twitter.com/kafeine) has apparently found a new exploit against the latest Adobe Flash (APSB15-01). The exploit is part of the Angler Exploit Kit and could have quite widespread impact. In his testing the following systems were exploited successfully:
Windows XP, IE8, latest Flash 188.8.131.527
Windows 7, IE9, latest Flash 184.108.40.2067
Windows 8, IE10, latest Flash 220.127.116.117
The exploit does not seem to work against Flash in Google Chrome or against Windows 8.1.
At the moment there is not much you can do about the threat, except reach out to your anti-malware provider to see if they block the exploit. Kafine mentions Malwarebytes Anti Exploit as preventing the exploit from running. Stay tuned for more updates.