Sophos Cloud Optix
This week, Adobe joined Microsoft in issuing an official November 2014 patch that didn’t come out on Patch Tuesday.
Microsoft backfilled a patch that had originally been promised for Patch Tuesday but didn’t quite make the cut.
Adobe’s latest Flash update, dubbed APSB14-26, was more by way of a booster dose.
The latest patch adds additional protection against a vulnerability that was originally addressed in October 2014:
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates provide additional hardening against CVE-2014-8439, which was mitigated in the October 14, 2014 release.
According to independent malware researcher Kafeine, who publishes on the website malware.dontneedcoffee.com, it looks as though the crooks worked backwards from Adobe’s October 2014 patch to get ideas for new ways to attack Flash.
Even if you ship patches in compiled binary form, and go out of your way to rebuild the changed components so that the decompiled code can’t easily be lined up with the previous versions, determined reverse engineers can almost always learn something about what you just fixed.
That, in turn, may give them hints about where to sniff around for related but as-yet-undiscovered holes.
That seems to be the case here: SophosLabs reports that it has seen a modest number of attacks that seem to be using the CVE-2014-8439 vulnerability, which Sophos products detect and block with the name Troj/SWFExp-CD.
The potential reversibility of patches is not an argument against patching, by the way: after all, holes that are fixed by today’s patches already exist, and thus need fixing anyway.
The bottom line
- If you are a Flash user, make sure you have this patch, whether you are on Windows, OS X or Linux. The trick to exploit it seems already to be in use by cybercriminals.
- Try uninstalling Flash to see if you can live without it. As this incident reveals, Flash is popular with crooks, who put plenty of effort into working out how to exploit it.
- Use your browser’s click-to-play option, also known as Ask to Activate, especially if you only need Flash occasionally. Flash won’t run until you say so, which reduces your exposure to unexpected and unwanted Flash content.
Duck wrote: “Even if you ship patches in compiled binary form, and go out of your way to rebuild the changed components so that the decompiled code can’t easily be lined up with the previous versions, determined reverse engineers can almost always learn something about what you just fixed.”
Yes, it’s hard to reverse-engineer these closed vulnerabilities and find the associated holes. It’s much easier if you have and understand the source code. Which, of course, makes one wonder why Adobe didn’t simply look around a little more carefully when they learned of the original vulnerability and release a more comprehensive fix.
Flash is not new–and as far as I can tell, the interface isn’t changing. It’s static code. It’s hard to see why Adobe doesn’t put on an all-court press to go back and review it for all holes–their programmers would become attuned to producing more secure code in the future. That’s just what Microsoft did.
Every time this happens (and it’s often) I lose a little more respect for Adobe. I don’t and won’t have any of their commercial products, and I’d dump the Reader if it weren’t for some US Government forms that require their form-filling-and-saving/filing function.
It’s easy to form the impression that the company simply doesn’t care.
There’s some truth in that, but it’s not as easy as you think, when you are under pressure to ship a fix that will also be reliable, to foresee every other part of the code that might have a problem…
To be fair to Adobe, the company might have proactively weeded out 175 other bugs that were related to the holes fixed in October – bugs that can now never be used by the crooks, but it’s the one it missed that will get the attention 🙂
After all, a full-court press doesn’t always work. If it did, all teams would apply the technique all the time in every game, and it would no longer have a special name.