Update or Uninstall Flash, Experts WarnAttackers Target Yet Another Zero-Day Flaw in Browser Plug-In
Adobe has issued an emergency patch for Flash in the wake of security experts warning that cyber-espionage attackers have been exploiting a zero-day flaw in the browser plug-in software.
Adobe says it is aware of the related attacks and has has characterized the software bugs as being "severe," noting that "these updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system." It recommends that all Flash users immediately update their software.
"Adobe Flash Player 18.x through 18.104.22.168 and 19.x through 22.214.171.124 on Windows and OS X and 11.x through 126.96.36.1995 on Linux allows remote attackers to execute arbitrary code via a crafted SWF file, as exploited in the wild in October 2015," the U.S. Computer Emergency Response Team warns in a related advisory.
Chaouki Bekrar, the CEO and director of vulnerability research at zero-day research firm Vupen Security, has warned that the new Flash update is not included in any recent Windows update issued by Microsoft.
As of today, Microsoft did *not* push Flash v188.8.131.52 on Windows Update. All Win10/8 users are at risk from the #0day in the wild...ï¿½ Chaouki Bekrar (@cBekrar) October 19, 2015
The latest Flash Player - which includes patches for the flaws - is now version 184.108.40.206, while the most recent "Extended Support Release" is now version 220.127.116.11. Adobe says ESR is available "to organizations that prefer Flash Player stability over new functionality" and that it keeps the code "up to date with all of the latest security updates, but none of the new features or bug fixes available in our current release branch," noting that this should allow Flash-using organizations to ensure that Flash updates won't break any custom applications they might use.
But in August, Adobe updated Flash ESR from version 13 to version 18 - for both Mac and Windows - and cautioned that it is now only keeping version 18 updated with the latest patches and security fixes.
Operation Pawn Storm
The latest zero-day attack against Flash was spotted by researchers at security firm Trend Micro, who warned Oct. 13 that the hackers behind the long-running Pawn Storm campaign were targeting the Flash flaw. Trend Micro says it worked with Adobe to identify the flaw being targeted and issue a related alert.
Operation Pawn Storm - a.k.a. APT28 - refers to a cyber-espionage campaign that appears to have been launched in 2007, which security firm FireEye says targets "intelligence on defense and geopolitical issues" (see Espionage Hacks Tied to Russians).
"It's worth noting that the URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization (NATO) members and the White House in April this year," Trend Micro says (see Zero-Day Exploit Alert: Flash, Java).
Old Flash Flaws Linger
Just because Adobe issues a Flash update, however, does not mean that all Flash users will install the update. That's why numerous crimeware toolkits - including Angler, Nuclear Pack and Rig - target patched flaws in Flash or Java (see Zero-Day Exploit Alert: Flash, Java).
Security firm Zscaler, for example, warns in an Oct. 16 blog post that a zero-day flaw in Flash that came to light in July, and which Adobe quickly patched, continues to be successfully exploited by attackers. This particular flaw, labeled CVE-2015-5119, was first publicly discovered in the 400 GB dump of data stolen from hacked spyware vendor Hacking Team (see Spyware Vendor Alert: Suspend Software)
"Hacking Team's exploit payloads remain a popular choice among cybercriminals for weaponizing their payloads," Zscaler says, noting that in the past two months, it's seen that flaw get exploited to install the Zegost backdoor Trojan - allowing attackers to access infected PCs - via what appear to be untargeted attacks.
In one recent attack campaign, for example, "the infection cycle starts with a legitimate Chinese real estate and shopping site ... which appears to have been compromised by the attackers and contains an injected script," it says. "The injected script will cause a series of redirects leading to Hacking Team's exploit payload. ... The majority of users were led to the original compromised site following a Baidu search."
Recalling Steve Jobs
News of these nonstop Flash-attack campaigns has led many information security experts to repeat their longstanding warnings to ditch Flash altogether. "It is not simply that Flash has many implementation-induced vulnerabilities, not merely that it has frequent patches ... It is that its risk exceeds any residual value that it might ever have had," information security consultant William Hugh Murray, who teaches at the U.S. Naval Postgraduate School, says in a recent SANS Institute newsletter.
"Managing this risk is beyond the capabilities of Adobe ... [and] it appears to be beyond the ability of the entire industry to deal with it. We seem to be unable to manage it and too feckless to get rid of it. Only Steve Jobs had the courage to act on what we all know," he adds, referring to Jobs announcing in 2010 that Flash was outdated and that none of Apple's iPhones, iPads or iPods would be permitted to run the software.
In fact, a grassroots movement called Occupy Flash has even sprung up, which aims "to rid the world of the Flash Player plugin." Its site also offers instructions for how to uninstall the plug-in software.