News Flash! 3rd time unlucky! New 0-day hits Adobe’s browser plug-in…

Update. Adobe has issued APSB15-04, announcing the availability of Flash updates for all platforms to patch against this vulnerability. Windows and Mac go to version; the Extended Support Release goes to; and Linux goes to [2015-02-05T21:00Z].

It looks as though once, no, sorry, twice hasn’t been enough zero-day trouble for Adobe lately.

The company just announced the third security hole found in its Flash player since January’s Patch Tuedsay.

Details are still [2015-02-03T12:00Z] pretty scarce on this one, so it’s hard to confirm exactly what Adobe is warning about, and where it has recorded attacks.

But it’s definitely a zero-day.

As noted in Adobe’s recently-issued security advisory APSA15-02:

A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.

Once again, the security protections such as execution prevention (DEP) and address-space randomisation (ASLR) built in to Windows 8.1, and the various sandbox limitations in Internet Explorer and Firefox, have been neutralised by a buggy browser plugin.

Reports from SophosLabs suggest that this zero-day has been seen in poisoned HTML adverts that were used to deliver an exploit kit called HanJuan.

→ Sophos products block the main HanJuan exploit kit page as Mal/ExpJS-CA, and block various CVE-2015-0313 exploit files themselves as Troj/SWFExp-EM.

Understanding exploit kits

An exploit kit is a suite of cybercrime tools that can turn a web server into a launching pad for drive-by installs.

Merely visiting a poisoned web page is enough to throw a spanner in the works of an unpatched browser or plugin and gain remote control over your computer.

Generally speaking, exploit kits start out with an HTML file that loads what you might call an “exploit selector,” usually written in JavaScript.

This script tries to guess which vulnerabilities are most likely to work on your computer, based on browser version, available plugins, and other settings, and then lets rip one-by-one with specific exploits until one of the following happens:

  • Nothing. (The best result.)
  • Your browser crashes without any malware running. (Second best.)
  • One of the exploit succeeds, and you are pwned.

Releasing new exploits

When new exploits are discovered, they can be added by the crooks into existing exploit kits.

But brand new exploits are not necessarily deployed immediately.

Releasing a previously-unused zero-day exploit obviously brings it into circulation, meaning that it can now be analysed and patched by the vendor of the software it attacks.

So, if the old exploits are still delivering good results, a crook might keep the 0-day up his sleeve a bit longer.

On the other hand, the longer he waits, the more likely it is that someone else will find the same vulnerability, which could mean that it gets patched first, and thus never gets a chance to be a true 0-day.

(Zero-day means that the exploit comes out before any patches are ready, thus giving even quick-on-the-draw sysadmins zero days to patch in advance.)

Adobe has started work on fixing the CVE-2015-0313 hole, and says that it “expects to release an update for Flash Player during the week of February 2, 2015.”

What to do?

Even a zero-day exploit is very often preventable with a good proactive anti-virus, by one or more of these interventions:

  • Blocking the web sites used to host the relevant exploit kit.
  • Blocking the HTML and JavaScript that sets up the playing field and chooses the exploit to try.
  • Blocking the exploit itself (even zero-days are often detected proactively).
  • Blocking any malicious activity that the exploit initiates.

Of course, by not allowing Flash in your browser at all, you will sidestep any cybercriminals who are using it as a malware infection vector.

Our Top Tips

So, here are our Top Three tips for dealing with Flash:

  • Consider uninstalling the Flash player altogether if you don’t need it. As this exploit shows, one vulnerability in Flash can affect multiple browsers and operating systems.
  • If you really do need Flash, use “Ask” or “Ask to Activate” mode. This helps you restrict Flash to sites where you know you need it, so an unknown, hacked site will not be able to run malicious Flash in your browser invisibly.
  • Turn on HIPS if your anti-virus supports it. Host Intrusion Prevention Systems monitor system behaviour while you browse and will often detect exploit-like behaviour proactively, even if the details of the exploit are not yet known.

Seriously: if you haven’t yet tried living without Flash for a few days, why not do so now?

You can either turn off the Flash plugin in your browser, or uninstall the Flash player altogether.

If you find sites that simply won’t work without Flash, you can always turn it back on or reinstall.

You never know: you may find that everything you require on the internet, and most things you want, work just fine without Flash.

After all, it’s more than three years since Adobe pulled the plug on browser Flash on iOS and Android, and the wheels haven’t come of either of those platforms yet…