22
Jan 15

Flash Patch Targets Zero-Day Exploit

Adobe today released an important security update for its Flash Player software that fixes a vulnerability which is already being exploited in active attacks. Compounding the threat, the company said it is investigating reports that crooks may have developed a separate exploit that gets around the protections in this latest update.

brokenflash-aEarly indicators of a Flash zero-day vulnerability came this week in a blog post by Kafeine, a noted security researcher who keeps close tabs on new innovations in “exploit kits.” Often called exploit packs — exploit kits are automated software tools that help thieves booby-trap hacked sites to deploy malicious code.

Kafeine wrote that a popular crimeware package called the Angler Exploit Kit was targeting previously undocumented vulnerability in Flash that appears to work against many different combinations of the Internet Explorer browser on Microsoft Windows systems.

Attackers may be targeting Windows and IE users for now, but the vulnerability fixed by this update also exists in versions of Flash that run on Mac and Linux as well. The Flash update brings the media player to version 16.0.0.287 on Mac and Windows systems, and 11.2.202.438 on Linux.

While Flash users should definitely update as soon as possible, there are indications that this fix may not plug all of the holes in Flash for which attackers have developed exploits. In a statement released along with the Flash update today, Adobe said its patch addresses a newly discovered vulnerability that is being actively exploited, but that there appears to be another active attack this patch doesn’t address.

“Adobe is aware of reports that an exploit for CVE-2015-0310 exists in the wild, which is being used in attacks against older versions of Flash Player,” Adobe said. “Additionally, we are investigating reports that a separate exploit for Flash Player 16.0.0.287 and earlier also exists in the wild.”

To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash, although as of this writing it seems that the latest version of Chrome (40.0.2214.91) is still running v. 16.0.0.257

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

I am looking forward to day in which far fewer sites require Flash Player to view content, and instead rely on HTML5 for rendering video content. For now, it’s probably impractical for most users to remove Flash altogether, but there are in-between options to limit automatic rendering of Flash content in the browser. My favorite is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. With click-to-play, users who wish to view the blocked content need only click the boxes to enable Flash content inside of them (click-to-play also blocks Java applets from loading by default).

Windows users also should take full advantage of the Enhanced Mitigation Experience Toolkit (EMET), a free tool from Microsoft that can help Windows users beef up the security of third-party applications.

Update 11:05 p.m. ET: Adobe just issued a bulletin confirming that this latest patch does not protect Flash users against all current, active attacks. The company says it plans to release an update the week of Jan. 26 to address this other security issue.

Tags: , , , , , ,

59 comments

  1. Curious. I have the latest version of Chrome that Google pushed out yesterday (40.0.2214.91) and my version of Flash Player updated to the new version (16.0.0.287).

    • Mine updated just before I went to this story! I’m not sure which utility did the update, because the Adobe updater doesn’t always work. I’t may have been Secunia PSI, but I had gave up on it working a long time ago! I not crying about it though, I’m just curious about why it has worked so well in the last three updates.

      Chrome, however, had not up dated so I did it through the browser.

  2. According to Kafeine, Flash v16.0.0.287 does not stop Angler EK.

    “Any version of Internet Explorer or Firefox with any version of Windows will get owned if Flash up to 16.0.0.287 (included) is installed and enabled.”

    • Yes. That’s effectively what Adobe is acknowledging in the above quoted text.

    • Since flash works so well without having the application installed; I would think most folks using IE-11, or newer browser, could do without it. Win7 users report to me that some video doesn’t play without the app, but when I try it, I’ve never found a video that didn’t play on FireFox or Chrome without needing any extensions or applications on board at all.

      • ActiveX Filtering is a good middle ground for IE, too. Gear icon > Safety. I use it at work and at home, and seldom have to disable the filtering these days. It’s not a bulletproof strategy, since a normally-trustworthy site that requires Flash could have malicious content added. But if someone clicks a malicious link in an email/Facebook/instant messaging, I’d rather have add-ons like Flash Player disabled by default.

        • Per Brian’s suggestion, I’m using noscript under firefox/linux, and I find myself temporarily enabling pages all the time. I see this also blocks flash, at least on most pages…

          • Once you allow a script using No Script, it will generally remember that site URL and allow it from then on, unless you gave it a temporary permission. AdBlock Plus can help if the advertisement is an infected flash vector. Using them both is definitely better than nothing at all. Spyware Blaster can also help with Internet Explorer, at least on known Active X malicious files. I always use as many protections as I can, so a blended defense is in order. I like my flash videos on YouTube, so I refuse to totally get rid of it.

            • It isn’t perfect, but you could opt-in for the HTML5 player on YouTube.

              The biggest problem is that some of the older videos aren’t available in the HTML5 player (Google apparently didn’t bother to convert everything to webm/h264), but they’re pretty infrequent.

              At home I frequently browse on a PPC Mac w/o any plugins, period, so I’m pretty familiar with the HTML5 player…

  3. Google Chrome just released a security update to patch 62 vulnerabilities in it’s browser . Version 40.0.2214.91 m (64-bit)

  4. Depending on the platform, I either have deleted Flash or have a Flash blocker installed (so it can’t run without permission). I recommend this for everyone.

  5. “The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan.”

    I’ll take this opportunity to plug Ninite; it’s a pretty fantastic tool for avoiding bundled crap in freeware downloads. You can also install/update multiple applications at once rather than having to do it one at a time.

  6. We have two different payloads from this campaign so far and can confirm that the latest Flash Player patch did not fix the problem. It is still vulnerable.

  7. Yes, 16.0.0.287 is still vulnerable. We just published a blog with details .

  8. We’ve published our analysis of an exploit sample retrieved yesterday that is not addressed by today’s Adobe Flash patch.

    http://research.zscaler.com/2015/01/malvertising-leading-to-flash-zero-day.html

  9. I guess I better try the new EMET – I’ve been using 3.0 for far too long.

  10. I believe the information on click-to-play for FF is outdated. When I followed the instructions I found it was already enabled by default. Doing some more research I found it is the default for everything but Flash:

    https://blog.mozilla.org/futurereleases/2013/09/24/plugin-activation-in-firefox/

    Am I missing something?

    • No you are correct, they way Firefox handle it now is you whitelist the whole website, which is dumb in my opinion b/c it is insecure.

      https://addons.mozilla.org/en-US/firefox/addon/click-to-play-per-element/

      This addon changes it back to the old way and how Chrome handles it. The only problem is the developer doesn’t know how to make it work with Electrolysis, a huge overhaul planned tentatively for Firefox 42. Right now we currently at version 35, so hopefully by then we have a solution by then.

  11. Flash… all I see is security bugs with them.

  12. Let’s see, almost 100 million iOS devices … and they don’t have Flash.

    Hmmm, seems like you must either like to “live dangerously” (i.e., with your business at risk) and/or have your head “in the sand” (or someplace even less comfortable) and/or have way too many customers — you know, the kind who statistically spend more via the web — if you still use Flash on a site.

    Flash … just say “No!”

  13. Martin Rubenstein

    Some day people will look back on the way software is produced, with the never-ending and incessant discoveries of vulnerabilities in Windows, Java, Flash, IE ..,. and they’ll see it in the same way we look back on the time when bridges were made from cast iron before the discovery of steel put an end to their occasional disastrous collapses. That said, it’s hard to imagine the day might ever come when the term “buffer overflow” would be just a historical curiosity.

    • If a human can make it a human can break it. Bridges have been ‘solved’ because the forces that attack their integrity don’t come up with new ways to defeat the improvements that have ‘solved’ them. When it comes to defending against human attackers however it will ALWAYS be a never ending war or arms race if you will.

  14. Kafeine reports that a limited test of EMET 5.1 with default setup blocks the new 0-day. Test configuration was

    Windows 8.1 32bits, Internet Explorer 11, Flash 16.0.0.257

  15. Help! I updated Flash Player last week after Brian’s notice, and as I was trying to update today to the very latest version, 16.0.0.287, the download hung up and never finished. I repeated the task several times with no luck, then finally uninstalled the Flash Player and tried to reinstall it again from Adobe’s website: http://get.adobe.com/flashplayer/ Now the site won’t even open. Any suggestions? I’m running Windows 7, Internet Explorer 11. Thanks!

  16. A Mac User: iOS safari has more vulnerabilities then Flash ever had. Better do not comment noob.

    • You are name-calling others for not knowing but then present a completely false reasoning.

      Don’t quit your day job.

  17. I started looking at packaging Java 7 Update 75 today I wish they would make it easier for us with ready to go MSI’s

  18. I have tried all the recommendations I have mined to resolve the flash player/ 64bit on IET 11 with windows 7 non playable connumdrum but with zilch success. Is there a workable alternative to flash player in its myriad editions, patches and updates??

    • “Is there a workable alternative to flash player in its myriad editions, patches and updates??”

      There is.

      It’s called uninstalling these plugins and then emailing the website owner(s) who utilize plugins to tell them to stop being lazy and code for HTML5 (only) from now on. People can no longer use the excuse that their hardware can’t run HTML5 video. You can buy a dual-core $42 Celeron Haswell cpu using only integrated graphics for flawless 1080p video playback and also the ability to run (slightly) older 3d games without the need for a separate graphics card. Pair that with your copy of OEM Windows 7 (that you bought 6 years ago now) and you got yourself a brand new, very capable sub-$200 computer. Remember when it was 1994 and people bought computers for $3,500 that could barely do anything? I don’t.

      Website owners have no excuse. None.

  19. MalwareBytes Anti-Exploit should be effective in protecting from the effects of Flash bugs. The free version protects web browsers and web browser plugins (Google Chrome, Firefox, Opera, Internet Explorer and Java). MalwareBytes techs confirm that the Angler Exploit Kit delivered exploit is effectively mitigated by Anti-Exploit.

    Disclaimer: I use Anti-Exploit. I am not an employee or agent of that excellent firm MalwareBytes.

    • Installed MalwareBytes Anti-Exploit and EMET 5.1 on my Windows 7 64-bit Ultimate machine with IE 11 and it caused IE11 to crash.
      I uninstalled MalwareBytes Anti-Exploit and the crashing stopped.

      • I would pick Malwarebytes anti-exploit(MBAE) over EMET if you only wanted to do one. It is much more effective at protecting what it protects for free. I use both. The current versions that I use are Malwarebytes Anti-Exploit V. 1.05.1.1016. EMET V. 5.1.5426.28434

        EMET is nice because you can protect more applications for free you just need to change some settings in EMET so that the two anti-exploits play nice together.

        First when I install EMET I click the import button at the top and import the 3 files that come up. I also like the EMET Dark Style Skin. Just my preference. 😉 I put EMET on maximum security and then I only worry about changing the settings in the apps menu for the browsers and plugin containers that EMET protects because the free version of MBAE protects IE, Chrome, Firefox, Opera, Java, and the browser plugins so those will be the ones that need some tweaking.

        Click the apps button at the top. Once in the apps menu in EMET look for chrome.exe and uncheck eaf, eaf+, load library protection, memory protection, rop caller check, rop simulate execution flow, stack pivot, and asr. I know asr stands for attack surface reduction and that it can be checked if you want to add an app to the list of apps that you don’t want to run within chrome but I personally just leave it unchecked.

        Then look for firefox.exe and uncheck eaf, eaf+, rop simulate execution flow, and asr.

        Then look for iexplore.exe and uncheck eaf, eaf+, and rop simulate execution flow.

        Then look for plugin-container.exe and uncheck eaf, eaf+, and rop simulate execution flow. There will be two plugin-container.exe options. One is for Firefox and the other is for Thunderbird. I don’t use Thunderbird but I assume that you would uncheck the same things.

        I also don’t use Opera much and would assume you would uncheck the same things for it that you did for chrome.exe. You just need to play around with settings sometimes if it doesn’t work.

        Both EMET and MBAE are excellent programs. Just be careful about applying EMET protections to all of your applications. Most new software will be fine but some old applications will have issues and not work properly.

        Also, I can’t promise that future versions of EMET and MBAE will play nice even with the suggested settings changes I gave you. So if you don’t like to play with settings much then just stick with MBAE.

        Hope this helps someone out there. 😉

        Disclaimer: I’m no computer expert… I’m just an average Joe. I just like reading about and learning about security software as well as playing around with the settings of security products that interest me. Cheers!

  20. Um, Flash Player updated to 16.0.0.287 just nine days before you posted this update yesterday. Do you understand?

    • Debbie, perhaps you are reading the date on this post incorrectly. The big number in the date at the top of the story is the day. There is also a timestamp (albeit a small one) at the end of every story.

  21. I’m confused. I updated flash about a week or 10 days ago, based on your alert (same time as MS updates). According to Adobe, the update to 0.287 (the one you published before) IS the latest update. In other words, it sounds as though Adobe is just alerting us to another problem (albeit a serious problem) that won’t be fixed until later in the month. So if we already installed 0.287, there is nothing more we can do at present. Is that correct?

    • The Flash update that I blogged about earlier this month here:

      http://krebsonsecurity.com/2015/01/adobe-microsoft-push-critical-security-fixes-6/

      brought Flash to v. 16.0.0.257. The Flash update Adobe released yesterday brings it to 16.0.0.287. In addition, Adobe is acknowledging that .287 includes a zero-day flaw that is being exploited. The company says it will issue yet another Flash update sometime next week.

      • Thanks. I haven’t updated Flash since your article earlier this month, but when I checked Control Panel this morning after reading today’s article, it showed Active X and Plug In already updated to 0.287. That’s why I was confused. Maybe Adobe automatic update actually worked. If so, it would be the first time ever that it updated before I read about the latest patches on your website.

  22. And the drum beats on…. A never ending cycle, of patches that’s for sure.

    I use firefox. I disable flash, reader and java. If I visit a site that requires it, I’ll consider turning it on, only if the content I am looking for on that website requires it.

    Its a simple right click, then a small pop up shows at the URL bar and I initialize it for just that visit, and pull the plug on the browser when done.

    I can imagine that if a bad site is visited, they can run scripts to check which version of the software you have and even though it may not light off your vulnerable version, the web site can still attack the vulnerable software and cause issues.

    All that I wish to add is, ensure you pay attention to the websites that are visited and look at the entire URL all the way to the .com, .net or whatever extension is on the end. I see many people simply glance to see part of the URL that may have a legit string, but it sends the victim across the world and into the bad stuff.

    Curiousity kills computers. With ransomware 3.0 in the wild, and all the other bad stuff on the ‘net, I keep a small list of trusted sites bookmarked. Sure, a bad advertisement on a good site is really quite possible, but that’s why I disable the flash/reader/java in order to take those extra chances away from the miscreants.

    Surf wisely ! ; )

  23. Qualys BrowserCheck https://browsercheck.qualys.com/ (previously used as my home page) needs a heads up on this as they are reporting “Up to Date” on the bogus update.

    Scan start time: Fri Jan 23 2015, 6:21 PM
    Adobe Flash Player – Up to Date
    File checked: Flash Player.plugin
    Installed File Version: 16.0.0.287

    All-in-all – a great time to make http://krebsonsecurity.com/ my new home page ; )

  24. Didn’t know about this until I read this post … downloaded patch and am safe once more! Thanks!

  25. can't sleep krebs will eat me

    Let’s hear it for proprietary software!

    This PoS will always have gaping holes.

  26. Brian Excarnate

    There is a new version, 16.0.0.296, so far only available via the updater (e.g. in System Preferences on a Mac).

    http://blogs.adobe.com/psirt/?p=1160

    “…includes a fix for CVE-2015-0311.”

    • Wierd. Just checked my Flash Version (Firefox, Windows 8.1). Adobe says I have version 16.0.0.296 installed, yet volunteers to install 16.00.287. Think I’ll wait before pushing any more buttons …

      • Adobe’s security team got called in to work over the weekend while the sales department won’t come in until Monday (the beginning of the work week for them.) That’s why there isn’t a manual download option available yet (the one with bundled, optional 3rd-party software.) Here’s an instance where automatic updates > manual updates.

      • Yep just installed 16.0.0.296 into Firefox i don’t think it is a beta. Used the Exe installer for Plugin-based browsers no problems so far.

        http://www.adobe.com/products/flashplayer/distribution3.html

  27. 296 appeared on my system today but everywhere I looked it said the latest version was 287. I eventually thought to check in here and …

    Aha! Problem solved, discrepancy explained. Thank you to all the recent posters who provided the information I couldn’t get from anywhere else.

  28. 16.0.0.287???

    Forget that! It’s sooooo four-days-ago. The real in-crowd is up on version 16.0.0.296.

    http://www.adobe.com/products/flashplayer/distribution3.html

  29. The only place I have seen 296 is the distribution page. The regular adobe page still has 287…. What a mess …

  30. No sooner said and FireFox goes to Version 35.0.1.

    Jane. Stop this crazy thing! – George Jetson