Adobe issues emergency fix for Flash zero-day

Adobe has published an emergency Flash update to protect against a “zero day” exploit.

An attack is known as a zero-day if the crooks start using it before a patch is available.

It’s a curious name, but it is meant to reflect the fact that there were zero days on which you could possibly have been patched before the exploit became known.

A second zero-day, denoted CVE-2015-0311, was mentioned by Adobe in a separate advisory, but no patch is yet available.

According to independent malware researcher Kafeine, this hole seems to be exploitable at least inside Firefox and Internet Explorer, right up to IE 11 on Windows 8.1.

Adobe’s advisory says that it “expects to have a patch available for CVE-2015-0311 during the week of January 26.”

There are two important, somewhat paradoxical things to remember when situations like this arise:

Even if you are unpatched, good “defence-in-depth” malware prevention can stop you getting infected.

That’s because the crooks generally need to get you through a sequence of “insecurity hoops”, including triggering the exploit, to leave you infected.

There’s often all this and more:

  • An HTTP request to a compromised web server.
  • Some obfuscated page content sent back to used to decide which attack vector to try.
  • The exploit itself.
  • The delivery of shellcode (a sort of partial in-memory program) to control the malware download.
  • An HTTP request to fetch the final malware.
  • The delivery and launch of the final malware.

A combination of web URL filtering, web content scanning, anti-virus detection and a Host Intrusion Prevention System (HIPS) can often defeat the attack by disrupting any one of these stages.

Even if you apply a patch, the same crooks may have other ways to infect you.

That’s because so-called exploit kits, used by crooks to infect you when you visit their dodgy websites, typically try a number of different attacks before giving up.

For example, the Angler exploit kit, reportedly being used to carry out zero-day attacks using the as-yet-unpatched exploit, has been associated with many other exploits, including CVE-2013-0074, CVE-2013-3896, CVE-2013-0634, CVE-2013-2465, CVE-2013-5329, CVE-2014-0322, and CVE-2014-0497.

What to do

Here are some tips:

  • Apply the APSB15-02 patch promptly. Even when there are other doors still left open, you may as well close every door you know about as quickly as you can.
  • Consider uninstalling the Flash player if you don’t need it. As this exploit shows, one vulnerability in Flash can affect multiple browsers and operating systems.
  • If you really do use Flash, use “Ask” or “Ask to Activate” mode. This helps you restrict Flash to sites where you know you need it, so an unknown, hacked site will not be able to run malicious Flash in your browser invisibly.
  • Turn on HIPS if your anti-virus supports it. Host Intrusion Prevention Systems that monitor system behaviour while you browse will often detect exploit-like behaviour proactively, even if the details of the exploit are not yet known.

Note. Although the crooks can, and do, change their malware payloads at any time, the attacks currently [2015-01-23T09:30Z] associated with these zero-day threats seem to be a malware family called Troj/Bedep by Sophos products, delivered by an exploit kit component from the family Troj/SwfExp. The Angler exploit kit mentioned above is variously detected using the family names Mal/ExpJS and Troj/JSRedir.