Category Archives: Flash

As Flash 0day exploits reach new level of meanness, what are users to do?

Less than five weeks into the new year, 2015 is already shaping up as one of the most perilous years for users of Adobe Flash, with active exploits against three separate zero-day vulnerabilities, one of which still wasn't fully patched as this post went live.

The latest attacks are hitting unsuspecting targets through drive-by downloads served through ads on dailymotion.com, theblaze.com, nydailynews.com, tagged.com, webmail.earthlink.net, and other sites, according to research from Malwarebytes. And while the vulnerability wasn't disclosed until this week, the exploits have been active and in the wild since December 3, Malwarebytes found.

While the attacks target Windows users running Flash in a Firefox or Internet Explorer browser, the underlying CVE-2015-0313 security bug is present in Flash for Macs and Linux machines as well. On late Wednesday, Adobe began distributing a fix to users who have opted to receive automatic updates. In the meantime, readers should consider disabling Flash altogether, or at the very least, using Flash inside Google Chrome, the browser many security experts say provides the most comprehensive anti-exploit protections. Attacks exploiting CVE-2015-0313 are unable to escape the Chrome security sandbox, research from Trend Micro found.

Read 5 remaining paragraphs | Comments

Flash Zero Day Being Exploited In The Wild

This is not the first Flash Zero Day and it certainly won’t be the last, thanks to the Sandbox implemented in Chrome since 2011 – users of the browser are fairly safe. Those using IE are in danger (as usual) and certain versions of Firefox. It has been rolled into the popular Angler Exploit Kit, [...] The post Flash Zero Day Being...

Read the full post at darknet.org.uk

Zero-day Flash bug under active attack in Windows threatens OS X, Linux too

A fragment of the shellcode exploiting a critical vulnerability in Adobe Flash.

A day after reports that attackers are exploiting a zero-day vulnerability in Microsoft's Internet Explorer browser, researchers warned of a separate active campaign that was targeting a critical vulnerability in fully patched versions of Adobe's ubiquitous Flash media player.

The attacks were hosted on the Syrian Ministry of Justice website at hxxp://jpic.gov.sy and were detected on seven computers located in Syria, leading to theories that the campaign targeted dissidents complaining about the government of President Bashar al-Assad, according to a blog post published Monday by researchers from antivirus provider Kaspersky Lab. The attacks exploited a previously unknown vulnerability in Flash when people used the Firefox browser to access a booby-trapped page. The attackers appear to be unrelated to those reported on Sunday who exploited a critical security bug in Internet Explorer, a Kaspersky representative told Ars.

While the exploit Kaspersky observed attacked only computers running Microsoft Windows, the underlying flaw, which is formally categorized as CVE-2014-1776 and resides in a Flash component known as the Pixel Bender, is present in the Adobe application built for OS X and Linux machines as well. Adobe has updated all three versions to plug the hole. Because security holes frequently become much more widely exploited in the hours or days after they are disclosed, people on all three platforms should update as soon as possible. People using IE 10 and 11 on Windowws 8 will receive the update automatically, as will users of Google's Chrome browser. It can sometimes take hours for the automatic updates to arrive. Those who are truly cautious should consider manually installing them. Windows users with Firefox installed must run a separate update for both IE and the Mozilla browser.

Read 4 remaining paragraphs | Comments

Copyright © 1995 - 2015. Kashif Ali.