Category: Flash

Jun 24 2015

Patch early, patch often: Adobe pushes emergency fix for active 0-day

Yet again, Adobe has released a new patch to fix a critical vulnerability that "could potentially allow an attacker to take control of the affected system," according to the company.

Adobe acknowledged that the flaw (CVE-2015-3113) is "being actively exploited in the wild via limited, targeted attacks." Known affected systems run Internet Explorer for Windows 7 and below and Firefox on Windows XP, according to the patch details. Adobe says the following software can potentially be impacted:

  • Adobe Flash Player and earlier versions for Windows and Macintosh
  • Adobe Flash Player Extended Support Release version and earlier 13.x versions for Windows and Macintosh
  • Adobe Flash Player and earlier 11.x versions for Linux

The company recommends updating to the latest version of Flash to avoid the risk of exploitation, but at this point users should take a hard look at how necessary Flash is to their daily Internet use. In 2015 alone, we've seen Adobe issue multiple emergency Flash updates to patch critical vulnerabilities under active attack—including three such instances in the first five weeks of the year. The situation has gotten so grim that security reporter Brian Krebs recently experimented with a month without having the Flash Player installed at all. "The result? I hardly missed it at all," Krebs writes.

This newest flaw was uncovered through the help of FireEye security researchers. A Singapore-based FireEye team discovered the vulnerability in June by detecting a phishing campaign exploiting CVE-2015-3113. "The attackers’ e-mails included links to compromised Web servers that served either benign content or a malicious Adobe Flash Player file that exploits CVE-2015-3113," FireEye writes.

FireEye identified APT3, a China-based group also known as UPS, as responsible for these attacks (see more on the group in FireEye's report on Operation Clandestine Fox). APT3 has previously introduced other browser-based zero-day attacks against Internet Explorer and Firefox. FireEye notes APT3's tactics are difficult to monitor given there's little overlap between campaigns, and the group typically moves quickly ("After successfully exploiting a target host, this group will quickly dump credentials, move laterally to additional hosts, and install custom backdoors," the new report states). According to the security researchers, APT3 has implemented these phishing schemes against companies in aerospace and defense, engineering, telecommunications, and transportation this year.

FireEye's report on CVE-2015-3113 offers much greater detail than Adobe's patch notes. For instance, the typical phishing e-mails were spam-like offers for refurbished iMacs:

"Save between $200-450 by purchasing an Apple Certified Refurbished iMac through this link. Refurbished iMacs come with the same 1-year extendable warranty as new iMacs. Supplies are limited, but update frequently.

Don't hesitate . . .>Go to Sale"

FireEye also broke down where unfortunate targets were directed after clicking such URLs—a compromised server hosting JavaScript profiling scripts. "Once a target host was profiled, victims downloaded a malicious Adobe Flash Player SWF file and an FLV file," FireEye reports. "This ultimately resulted in a custom backdoor known as SHOTPUT, detected by FireEye as Backdoor.APT.CookieCutter, being delivered to the victim’s system. The payload is obscured using xor encoding and appended to a valid GIF file."

Read on Ars Technica | Comments

Feb 04 2015

As Flash 0day exploits reach new level of meanness, what are users to do?

Less than five weeks into the new year, 2015 is already shaping up as one of the most perilous years for users of Adobe Flash, with active exploits against three separate zero-day vulnerabilities, one of which still wasn't fully patched as this post went live.

The latest attacks are hitting unsuspecting targets through drive-by downloads served through ads on,,,,, and other sites, according to research from Malwarebytes. And while the vulnerability wasn't disclosed until this week, the exploits have been active and in the wild since December 3, Malwarebytes found.

While the attacks target Windows users running Flash in a Firefox or Internet Explorer browser, the underlying CVE-2015-0313 security bug is present in Flash for Macs and Linux machines as well. On late Wednesday, Adobe began distributing a fix to users who have opted to receive automatic updates. In the meantime, readers should consider disabling Flash altogether, or at the very least, using Flash inside Google Chrome, the browser many security experts say provides the most comprehensive anti-exploit protections. Attacks exploiting CVE-2015-0313 are unable to escape the Chrome security sandbox, research from Trend Micro found.

Read 5 remaining paragraphs | Comments

Jan 22 2015

Flash Zero Day Being Exploited In The Wild

This is not the first Flash Zero Day and it certainly won’t be the last, thanks to the Sandbox implemented in Chrome since 2011 – users of the browser are fairly safe. Those using IE are in danger (as usual) and certain versions of Firefox. It has been rolled into the popular Angler Exploit Kit, [...] The post Flash Zero Day Being...

Read the full post at
Jul 08 2014

“Weaponized” exploit can steal sensitive user data on eBay, Tumblr, et al.

Update: Almost four hours after this article went live, a Tumblr spokeswoman e-mailed Ars to say the site has been patched against the Rosetta Flash attack. Later, a cofounder of Olark said that service had been patched, too.

A serious attack involving a widely used Web communication format is exposing millions of end users' authentication credentials on sites including eBay, Tumblr, and Instagram, a well-respected security researcher said Tuesday.

The exploit—which stems from the ease of embedding malicious commands into Adobe Flash files before they're executed—has been largely mitigated by a Flash security update Adobe released Tuesday morning to coincide with a technical analysis of the threat, including proof-of-concept exploit code. It will take days or weeks for a meaningful percentage of end users to install the fix, so the researcher who wrote the advisory is warning engineers at large websites to make server-side changes that will minimize the damage attackers can inflict on visitors. eBay, Tumblr, Instagram, and Olark are known to be vulnerable to attacks that can intercept authentication cookies or other data they send end users. Until recently, both Twitter and a wide range of Google services were also susceptible to the exploit. The common identifier assigned to the exploit is CVE-2014-4671.

Read 11 remaining paragraphs | Comments