Category Archives: Flash

As Flash 0day exploits reach new level of meanness, what are users to do?

Less than five weeks into the new year, 2015 is already shaping up as one of the most perilous years for users of Adobe Flash, with active exploits against three separate zero-day vulnerabilities, one of which still wasn't fully patched as this post went live.

The latest attacks are hitting unsuspecting targets through drive-by downloads served through ads on dailymotion.com, theblaze.com, nydailynews.com, tagged.com, webmail.earthlink.net, and other sites, according to research from Malwarebytes. And while the vulnerability wasn't disclosed until this week, the exploits have been active and in the wild since December 3, Malwarebytes found.

While the attacks target Windows users running Flash in a Firefox or Internet Explorer browser, the underlying CVE-2015-0313 security bug is present in Flash for Macs and Linux machines as well. On late Wednesday, Adobe began distributing a fix to users who have opted to receive automatic updates. In the meantime, readers should consider disabling Flash altogether, or at the very least, using Flash inside Google Chrome, the browser many security experts say provides the most comprehensive anti-exploit protections. Attacks exploiting CVE-2015-0313 are unable to escape the Chrome security sandbox, research from Trend Micro found.

Read 5 remaining paragraphs | Comments

Flash Zero Day Being Exploited In The Wild

This is not the first Flash Zero Day and it certainly won’t be the last, thanks to the Sandbox implemented in Chrome since 2011 – users of the browser are fairly safe. Those using IE are in danger (as usual) and certain versions of Firefox. It has been rolled into the popular Angler Exploit Kit, [...] The post Flash Zero Day Being...

Read the full post at darknet.org.uk

Zero-day Flash bug under active attack in Windows threatens OS X, Linux too

A fragment of the shellcode exploiting a critical vulnerability in Adobe Flash.

A day after reports that attackers are exploiting a zero-day vulnerability in Microsoft's Internet Explorer browser, researchers warned of a separate active campaign that was targeting a critical vulnerability in fully patched versions of Adobe's ubiquitous Flash media player.

The attacks were hosted on the Syrian Ministry of Justice website at hxxp://jpic.gov.sy and were detected on seven computers located in Syria, leading to theories that the campaign targeted dissidents complaining about the government of President Bashar al-Assad, according to a blog post published Monday by researchers from antivirus provider Kaspersky Lab. The attacks exploited a previously unknown vulnerability in Flash when people used the Firefox browser to access a booby-trapped page. The attackers appear to be unrelated to those reported on Sunday who exploited a critical security bug in Internet Explorer, a Kaspersky representative told Ars.

While the exploit Kaspersky observed attacked only computers running Microsoft Windows, the underlying flaw, which is formally categorized as CVE-2014-1776 and resides in a Flash component known as the Pixel Bender, is present in the Adobe application built for OS X and Linux machines as well. Adobe has updated all three versions to plug the hole. Because security holes frequently become much more widely exploited in the hours or days after they are disclosed, people on all three platforms should update as soon as possible. People using IE 10 and 11 on Windowws 8 will receive the update automatically, as will users of Google's Chrome browser. It can sometimes take hours for the automatic updates to arrive. Those who are truly cautious should consider manually installing them. Windows users with Firefox installed must run a separate update for both IE and the Mozilla browser.

Read 4 remaining paragraphs | Comments

Adobe releases emergency Flash update amid new zero-day drive-by attacks

Adobe has released an emergency update for its widely used Flash Player to combat active attacks that exploit a previously unknown security bug that hackers are actively exploiting to surreptitiously install malware on end-user computers.

The vulnerability, which affects the latest versions of Flash, was being exploited in drive-by attacks on the websites of at least three nonprofit organizations, according to a blog post published Thursday by researchers from security firm FireEye. Two of the institutions—the Peter G. Peterson Institute for International Economics and the Smith Richardson Foundation—focus on matters of national security and public policy. The targets, combined with the technical signatures of the attacks themselves, have led researchers to suspect that the attackers are the same ones behind similar campaigns from 2012. The FireEye researchers wrote:

This threat actor clearly seeks out and compromises websites of organizations related to international security policy, defense topics, and other non-profit sociocultural issues. The actor either maintains persistence on these sites for extended periods of time or is able to re-compromise them periodically.

This actor also has early access to a number of zero-day exploits, including Flash and Java, and deploys a variety of malware families on compromised systems. Based on these and other observations, we conclude that this actor has the tradecraft abilities and resources to remain a credible threat in at least the mid-term.

The vulnerability, which is indexed as CVE-2014-0502 under the common vulnerabilities and exposure system, allows attackers in certain cases to execute malicious code by overwriting the virtual function table pointer of a Flash object. In a testament to the growing effectiveness of modern exploit mitigation techniques, a protection known as address space layout randomization (ASLR) prevents the exploit from working on the vast majority of machines. ASLR vastly decreases the chances that a remote-code-execution attack will succeed by loading downloaded scripts in a different memory location each time the computer is rebooted. The attackers behind the campaign discovered by FireEye found a way to bypass ASLR on computers running older software. Specifically, PCs running Windows XP, Windows 7 with the now-unsupported 1.6 version of Oracle's Java, and Windows 7 with a now out-of-date version of Office 2007 or Office 2010 don't benefit from the protection of ASLR.

Read 2 remaining paragraphs | Comments

Adobe, Microsoft Release Critical Updates

Patch Tuesday is upon us once again. Adobe today pushed out security fixes for its Flash and Shockwave media players. Separately, Microsoft released seven patch bundles addressing at least 34 vulnerabilities in Microsoft Windows and other software. At least one of the Windows flaws is already being exploited in active attacks.

crackedwinSix of the seven Microsoft patches released today earned the company’s most dire “critical” rating, meaning the patches plug security holes that could be exploited by malware or miscreants with no help from PC users, save for visiting a hacked site or opening a specially crafted document.

Microsoft and security experts are calling special attention to MS13-053, which fixes at least eight flaws in Windows’ implementation of TrueType font files. These critical TrueType vulnerabilities exist on nearly every supported version of Windows, including XP, Vista, Windows 7 and Windows 8, and can be exploited to gain complete control over a vulnerable Windows system, just by having the user visit a Web page that contains malicious TrueType content. To make matters worse, Microsoft says one component of this vulnerability (CVE-2013-3660) is already being exploited in the wild.

There’s something else that’s interesting about these TrueType flaws: Ross Barrett, senior manager of security engineering at Rapid7, notes that For the first time ever Microsoft is addressing a single TrueType vulnerability (CVE-2013-3129) in three different advisories (MS13-052, MS13-053, and MS13-054). “By splitting this out, Microsoft is directly addressing a complaint about previous “rolled up” advisories where it was difficult to properly prioritize the multiple patches required to remediate the problem, and component patches were frequently missed,” Barrett notes.

The other big deal in today’s patch batch from Redmond is the Internet Explorer update (MS13-055), which is rated critical for all versions of IE and addresses 17 vulnerabilities. For a breakdown of the updates released today, check out this summary page, which includes links to all of the individual patches.

Also, Microsoft today announced a policy change related to the security of applications for sale or download in the Microsoft marketplace: Henceforth, any app that has a reported security issue will be removed from the marketplace store if it is not patched within 180 days of Microsoft confirming the problem. Read more about that policy change at Microsoft’s Technet Blog.

ADOBE FLASH & SHOCKWAVE

brokenflash-aAdobe’s Flash Player update fixes at least three critical bugs in the program. Updates are available for Windows, Mac, Linux and Android versions of Flash. This update brings Flash Player to version 11.8.800.94 on Windows and Mac systems (other OS users see the chart at the end of this post). To find out which version of Flash you have installed, visit this page. Internet Explorer 10 auto-updates its built-in Flash Player; Chrome does as well, but the latest patched version of Flash on Chrome is 11.8.800.97. My installation of Chrome does not appear to have updated to the latest version yet.

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (FirefoxOpera, e.g.).

Adobe also released a new version of its Shockwave Player software that fixes at least one critical flaw, bringing Shockwave to v. 12.0.3.133 on Windows and Mac systems. Updates are available here. Shockwave is one of those programs that I’ve urged readers to remove or avoid installing. Like Java, it is powerful and very often buggy software that many people have installed but do not really need for everyday Web browsing. Securing your system means not only making sure things are locked down, but removing unneeded programs, and Shockwave is near the top of my list on that front.

shockwaveIf you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave (or, in the case of Google Chrome, just downloads it for you), then you don’t have Shockwave installed and in all likelihood don’t need it. Firefox users should note that the presence of the Shockwave Flash plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave.

Adobe did not release any updates for AIR today, as it normally does when it pushes out Flash updates. The company says it is not aware of any active exploits or attacks in the wild that take advantage of the vulnerabilities fixed in today’s Flash and Shockwave releases.

If all of this patch frenzy has your head spinning, consider using some free tools to help automate the process for you. File Hippo’s Update Checker works great on this front, as does Secunia’s Personal Software Inspector (I prefer PSI 2 over PSI 3, but your mileage may vary). And, as always, if you experience any problems or interesting issues applying the Windows updates or any of the other patches, please drop a note in the comments section below.

adobeflash11-8-800-94

Copyright © 2015. Powered by WordPress & Romangie Theme.