Sophos Cloud Optix
Adobe has just updated its Flash product for the second time this month, pushing out an emergency patch for an RCE exploit that has been seen in the wild.
- RCE means “remote code execution”, and it refers to an attack that runs a program on your computer without producing pop-ups, dialogs or warnings. Just by visiting a web page, viewing a document, listening to an audio file, or similar, you might invisibly get infected with malware. Your browser, or word processor, or whatever it is, might crash in the process, but that’s an unreliable indicator that you have just been attacked. (Also, it’s usually too late by then: it is by crashing your browser that the attackers jump over the security warnings.)
- Usually, when triggering an RCE, the attackers will deliver a booby-trapped file. This is deliberately crafted so that when it is processed on your computer, for example by the Flash plugin in your browser, the program is led astray so that unauthorised and unexpected execution of remotely-supplied code takes place. The bug that permits the program to be led astray is called a vulnerability; the trick that makes use of the vulnerablity is called an exploit.
- In the wild means simply that a real-world attack is known, so this is not merely a risk that has been spotted and contained inside a security lab. If an in-the-wild attack happens before a patch is ready, it is known as a zero-day, meaning that you had zero days of advance warning about a patch, because there wasn’t one.
According to Adobe, there are three vulnerabilties patched in this update, numbered CVE-2014-0498, CVE-2014-0499 and CVE-2014-0502.
The last on the list is the one known to have been exploited in the wild, according to analysts at vulnerability research company FireEye, and it’s the reason why you should updgrade promptly.
Presumably, the other two vulnerabilities have been patched “just in case,” because Adobe’s next scheduled security update doesn’t arrive until April 2014.
The importance of patching
Note, however, that properly updated systems should be immune to this in-the-wild attack.
According to FireEye, the attack relies on overwriting function pointers (for programmers: this exploit overwrites a vtable, which is short for virtual function pointer table) inside Flash.
A function pointer is a memory location that keeps track of where a program should go to perform certain functions such as reading and writing files, or compressing and decompressing data.
Clearly, by changing a function pointer, typically only four bytes on 32-bit systems or eight bytes on 64-bit systems, you can completely change the behaviour of a program, which is why function pointers aren’t supposed to be rewritable by just anybody.
But for the attack found by FireEye to work, you have to know where to send the exploited program to next (i.e. what value to write into the “stolen” function pointer).
That’s something you can’t easily predict on a system that is using Address Space Layout Randomisation, or ASLR.
ASLR is a powerful threat mitigation technique used in all modern operating systems, and most modern software, so that attackers can’t guess where specific system components will end up in memory, making it much harder to take control of buggy software from a distance.
→ When you come home in the dark, you know exactly where the light switch is in the hallway, so you can open the door, reach round in the pitch black, and turn on the lights at once. But in a stranger’s house, you’ll probably end up fumbling around for ages, helplessly swiping at blank parts of the wall, probably knocking over an ornament or two in the process and drawing attention to yourself.
So, the in-the-wild CVE-2014-0502 exploit found by FireEye deliberately targets insecure environments where ASLR is turned off, namely:
- Windows XP. (We told you to upgrade!)
- Windows 7 with Java 6. (The Java 6 plugin allows ASLR to be bypassed. Java 7 does not, and is therefore immune.)
- Windows 7 with an unpatched Office 2007 or 2010. (Those versions of Office were patched in December 2013 to enforce ASLR.)
What to do?
In summary:
- Get rid of XP from your regular office computers – especially ones used for browsing and running Microsoft Office – and lock down those on which you simply can’t find a way forward. (XP doen’t support ASLR. This makes it much less secure at heart than later Windows versions.)
- Update to Java 7, and turn off Java in your browser unless you are absolutely certain you need it.
- Don’t let months go by before you apply Microsoft security patches.
- Consider whether you still need Flash, because many websites no longer require it thanks to HTML5, and then either uninstall it or apply this patch promptly.
Remember that many so-called Advanced Persistent Threats, or APTs, are only advanced if you are behind in your patching – so don’t make things easier than you have to for the crooks!
Oh, and here’s a suggestion for Adobe.
Having lined up with Microsoft for your patch regularity (i.e. always on the second Tuesday of a month), why not line up with Redmond in frequency (i.e. patch every month, not every quarter)?
Well-informed system administrators are increasingly willing to apply patches immediately, rather than waiting three months, so why make them wait three months for routine updates?
For further information
You might also like:
- Our Techknow podcast Understanding Vulnerabilities, which explains RCE and other vulnerability jargon.
- Our Techknow podcast on Patching: should you lead, follow, or get out of the way?
- Our Techknow podcast The End of XP, advising you on how to deal with the end of security updates for XP after April 2014.
- Our detailed study Anatomy of an exploit – inside the CVE-2013-3893 Internet Explorer zero-day, which incidentally uses the same Office 2007/2010 vulnerability to bypass ASLR.
To listen to the above podcasts directly:
Wanted to mention that the section “explaining the jargon above” is especially necessary if we are going to bring others along in their learning of computer security. Too often us Computer Security minded folks who live and work in the sector forget this. I wanted to commend you for ensuring that we speak to the widest audience possible when we address these issues. Those “in the know” shouldn’t be put off one bit by your speaking down to a wider audience, especially if they truly care about their customers.
Thanks! I deliberatly decided to adopt that curious style (start with a sentence more jargonistic than I like to write and then explain it at some length in a sidebar) in the hope of making that very point…when we condition people to talk about RCE exploits without making sure they know what we mean, then we actually make security problems sound and feel less important.
Indeed, that is why Chester Wisnieski and I made the “Understanding Vulnerabilities” podcast I included at the end.
When exploit ends up synonymous with bug, we lose an important semantic distinction.
IIRC that’s why many people involved in road safety disavow the word “accident” to describe an incident when two cars smash into each other and ruinously deploy their energy…so they talk about collisions instead. Many collisions aren’t accidents, after all – they’re “preventables.”
Java is definitely required as a great many website don’t work without it! Even Intel use Java. As do BT in the UK, amongst many others.
What gets me is that when you set any Adobe product to inform you that an update is available, it doesn’t tell you! And I have yet to see it update automatically! Something broken in the Adobe system used to inform of updates, methinks. Not a good way to maintain users’ safety.
Are you sure a “great many” sites use Java? As in, won’t work without it? I haven’t had Java enabled in my browser for a couple of years and it has made no, zero, zilch, nil difference to my browsing experience. Not a jot.
I suspect MikeP is mixing up Java and JavaScript, which are (and always have been) completely different..I no longer have browser-enabled Java on any of my personal PCs, though I do still have to have it on my work PC, as there are some work-related sites that need it.
For those who wonder about [a] the difference between Java and JavaScript and [b] why they have similar names, try either or both of these links 🙂
http://nakedsecurity.sophos.com/2013/01/16/java-is-not-javascript-tell-your-friends/
http://nakedsecurity.sophos.com/2012/09/01/sophos-techknow-all-about-java/
For those who use the Firefox browser, Javascript protections are available via the NoScript add-on. I whitelist only those domain sources necessary to view and interact with a webpage properly, which goes a long way towards taking the risks out of viewing a site. While it can make browsing a site a bit more tedious the first time, it doesn’t begin to compare to the headache of removing malware from your workstation or attempting to clean up from an identity theft incident.
Literally no websites have asked to run Java since I switched it to “always ask” over a year ago. Java is okay, but it doesn’t need to be a browser plugin, for any reason. It’s also not JavaScript.
By default on OS X (I am fairly sure it’s the default, set by the Oracle Java installer), Java is not enabled in the browser at all.
As mentioned, that hasn’t made any difference to me.
I have Java installed for Android SDK purposes, so I can run locally installaed applications, but no need I can see to have it on in the browser.
Quick note, because people have asked me, “How do I get the standalone Flash installer that can run offline and doesn’t try to shove other software (e.g. Google Chrome) down my throat?”
This link should do the trick – one big download that just installs Flash, not a 900KB downloader that then fetches a raft of other stuff:
http://www.adobe.com/products/flashplayer/distribution3.html
One word of caution, Paul … while that “–distribition3” addy is by far the best place to get Flash updates (no fancy downloader or or other potentially unwanted add-ons, plus versions for all OS’s and plugin/Active-X browsers are on one page), Adobe apparently makes strong objection to anyone posting it as a link. Best practice, as we do at the avast! forums, is probably to give everyone a chance to bookmark it then delete the link to it.
Funny, because the page starts with the words, “Thank you for your interest in Adobe Flash Player.”
It seems you need a licence (free) to redistribute Flash on your network, whether as a download or via some sort of remote deployment. But that URI I posted is the page that explains all of that and links to to the place to follow the licensing procedure.
Probably the reason as to why Adobe might object to posting the “–distribition3” link is that they lose out on the money made by bundling their “partner’s” software with whatever Adobe product (Reader, Flash, etc.) is being downloaded, as dreadful as that practice is.
Yes, the link you posted,
http://www.adobe.com/products/flashplayer/distribution3.html
“should do the trick – one big download that just installs Flash, not a 900KB downloader that then fetches a raft of other stuff” — provided you ignore the big fat tempting gray Download button in the middle of the RHS of the page, and scroll down, eyes to the LHS of the page, looking for the .msi and/or .exe full-length stand-alone Windows installation files, or their Mac and Linux counterparts.
The big fat grey button (which turns an ominous boiled-lobster red if you hover over it) leads to a page that offers a short downloader stub that, ultimately, will try to load up the foistware-du-jour on the unwary updater.
It’s not nice to try to fool Mother Nature, Adobe, or your customers, either. Time you learned that, eh?
How do we go about ridding our browser of flash?
You can turn the browser plugin off.
How to do so depends on your browser. I use Firefox: head to Tools|Add-ons. BTW, there’s a middle-of-the-roads setting, “Ask to activate,” which does what it says and is a good way of having Flash up your sleeve in case you need it without having it on all the time. Flash windows appear greyed out and ask you, “Activate Adobe Flash?”
Or you can run the Flash Player uninstaller.
How to do so depends on your operating system. I use OS X: head to Applications|Utilities and run the “Adobe Flash Player Install Manager” application.
Adobe would have more credibility if they:
a) Updated their installers so they would work with antivirus programs instead of just failing. (Now they give you a warning when the install starts. They used to just fail leaving the innocent-victim-user to try this and that until he hits on disabling AV. A real problem with AV from one of your competitors whose name starts with “S.” Lots of other software updates including drivers, operating systems, and BIOS updates don’t have this problem–why does Adobe?
b) Updated their installers so they would actually work in user-mode (not administrator-mode). Lots of other programs including even free open-source stuff like VLC manage to do this–why not Adobe?
It is apparent to me that Adobe management is more interested in their money machine than quality software.
“(Those versions of Office were patched in October 2013 to enforce ASLR.)”
December 2013.
Hmmm. Yes…October was when they patched the hole that led to a notorious attack that led to the abuse of the non-ASLR DLL (hxds.dll) in Office; December was when they patched the non-ASLR DLL itself.
Thanks for spotting that! I have updated the article.