Sophos Cloud Optix
Hot on the heels of Microsoft’s Internet Explorer (IE) zero-day announcement comes an Adobe bulletin about a zero-day in Flash.
Readers who saw our recent story about Microsoft’s zero-day will know that although that bug is entirely in Microsoft’s code, the exploits currently seen “in the wild” rely on a Flash file to get things going.
In the IE attacks, Flash is used by the attackers to get their ducks in a row in memory, so to speak, thus creating the circumstances needed make their exploit on IE succeed.
Adobe’s newly-announced Flash exploit is unrelated: APSB14-13 is a bug in Flash itself that apparently allows remote code execution.
That means that you could be infected just by viewing a Flash file in your browser.
As in the Microsoft announcement, Adobe is being tight-lipped about what is wrong, saying simply:
Adobe has released security updates for Adobe Flash Player 13.0.0.182 and earlier versions for Windows, Adobe Flash Player 13.0.0.201 and earlier versions for Macintosh and Adobe Flash Player 11.2.202.350 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.
Adobe is aware of reports that an exploit for CVE-2014-0515 exists in the wild, and is being used to target Flash Player users on the Windows platform.
As you can see, Adobe does have a patch out, so you don’t need to worry about workarounds like the ones we suggested to circumvent the IE zero-day.
We therefore recommend getting the patch immediately.
Judging by the official Common Vulnerabilities and Exploits (CVE) number, CVE-2014-0515, Adobe may have known about this bug for some time – in contrast, the recent IE zero-day was CVE-2014-1776.
Presumably (though not certainly), this means the vulnerability was responsibly disclosed to Adobe before the first attacks were seen.
Responsible disclosure is where a vendor finds a hole itself, or has the hole reported by someone who doesn’t go public right away, and then fixes it within a reasonable period, deferring public discussion of the details of the bug until a patch is out.
It’s a fair guess, therefore, that before a patch could be finished, tested and scheduled for a suitable Adobe Patch Tueday, one or more crooks also discovered the vulnerability, and how to exploit it, and began to use it in the wild.
Thus the need for a so-called out of band patch not on Adobe’s usual schedule.
With that in mind, Adobe rates this patch Priority 1, Critical.
So you may as well patch just as soon as you can.
â Microsoft ships Flash built into IE 10 and IE 11, and has announced updates for the Flash player in those browsers. Chrome users should also receive automatic updates to the Flash player built into that browser.
The only important thing to remember is that applying this Adobe patch doesn’t do anything to protect you against CVE-2014-1776, the recent Microsoft IE zero-day.
That IE zero-day doesn’t require Flash; it’s just that the currently-known exploits happen to use Flash as a handy “helper toolkit.”
PS. If you use the Adobe Flash Player Distribution page, you will find out how to apply for a free licence to access Adobe’s standalone installers. These installers avoid the foistware in Adobe’s regular installer that some of you have complained about before on Naked Security comments.
Hi, I play Flash games on FB with a lot of people who aren’t programmers (I’m not either but I use Chrome). Is there somewhere I could direct them that makes this easier to understand and easier to get the patch? Thanks!
There are links to help you find Adobe Flash installers in the grey box at the end of the article.
I think the OP might have a point. The articles you guys write are very good, but they do tend to assume a certain level of expertise.
This is OK, in my opinion (after all, not many non-technical people read these), but perhaps something a little more would help:
I suggest you add a short synopsis of the problem at the beginning or end of the article (or in a callout box). If you do it consistently, you could even give it a name, perhaps “bottom line” or something.
Make it short and not-highly-technical, targeting non-techies and/or techies with no time to read the full article. I suspect it would eventually increase readership.
e.g.
—————————————————————————————
Bottom Line:
——–
Flash is vulnerable; a patch has been released. We recommend you install it immediately.
Also, do not confuse this patch with the one for Microsoft’s Internet Explorer (where Flash is used to lay the groundwork for an in-the-wild exploit).
—————————————————————————————
Well, I think you’ve done the summary for us this time…nice đ
I came up with the motif after my manager said my emails were too long. As an engineer, I like completeness and accuracy. But, as a manager, he wants brevity; it saves money.
And, he is correct: My missives ARE too long. (Or, were? I hope I’m getting better at it.)
Now I write up the details at the end of the email, and tell readers to go to the bottom if they want the details. It’s almost like a more robust subject field I’ve added between the real subject and the elephantine part of the email. đ
You will be pleased to see, in this recent zero-day-related article:
http://nakedsecurity.sophos.com/2014/05/01/that-was-quick-microsoft-patches-the-1776-hole-in-internet-explorer/
…a section at the end like this:
The bottom line is:
• All versions of IE on all versions of Windows contain a security hole that could allow cybercriminals to implant malware on your computer with little or no warning.
• Microsoft has published a security update that closes this hole so it can no longer be used to attack your computer.
• We recommend you get the update as soon as possible if you haven’t already.
• Go to Control Panel | Windows Update if you aren’t sure where to start.
Give me goosebumps! Thanks!
(And, it just so happens that today is my birthday. Thanks!)
Unfortunately, the Adobe server is not giving out the download at present! It sends out the initial ‘installer’ that then tries to fetch the actual download but fails, complaining that I’m not connected to the internet – which I have to have been to download the initial installer! And there is no known way to contact Adobe to tell them of their problem!
Did you try the standalone installer approach, as suggested above? Once you have downloaded the standalone MSI/DMG, the installation/update is independent of internet connectivity. (That’s also handy if you need to reinstall later.)
Yes, but Adobe will not allow a non-company application. You have to give both a company name and a company email address, so private individuals are stuck with deselecting foistware options.
I’m not a lawyer…but the licence is for “multi-user” installs, i.e. where you host the installer on your own corporate server and redistribute it.
Not sure what that means if you are not redistributing the file, i.e. you are downloading it for yourself only…
Don’t forget. Many of us run in User Mode–it’s safer as much malware is thwarted in User Mode. However, Adobe has never figured out how to make their installers run in User Mode. You will have to start in Administrator Mode to install this fix.
(Surprising, since even open source freeware like VLC has figured it out. Adobe must be a little slow.)
Depends what you want/need to install.
” find out how to apply for a free licence to access Adobe’s standalone installers. These installers avoid the foistware in Adobe’s regular installer”
Just Loverly…
After what’s happened to them why would anyone put their Personal Information on one of their servers?
any word if this can be mitigated with sophos endpoint or utm device?
No word yet…short of blocking Flash files outright đ
Out of Band Patch to be issued at noon Central time on 5/1
https://technet.microsoft.com/en-us/library/security/ms14-may.aspx
It’s all true!
See:
http://nakedsecurity.sophos.com/2014/05/01/that-was-quick-microsoft-patches-the-1776-hole-in-internet-explorer/