Sophos Cloud Optix
Update. Adobe has issued APSB15-04, announcing the availability of Flash updates for all platforms to patch against this vulnerability. Windows and Mac go to version 16.0.0.305; the Extended Support Release goes to 13.0.0.269; and Linux goes to 11.2.202.442 [2015-02-05T21:00Z].
It looks as though once, no, sorry, twice hasn’t been enough zero-day trouble for Adobe lately.
The company just announced the third security hole found in its Flash player since January’s Patch Tuedsay.
Details are still [2015-02-03T12:00Z] pretty scarce on this one, so it’s hard to confirm exactly what Adobe is warning about, and where it has recorded attacks.
But it’s definitely a zero-day.
As noted in Adobe’s recently-issued security advisory APSA15-02:
A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.
Once again, the security protections such as execution prevention (DEP) and address-space randomisation (ASLR) built in to Windows 8.1, and the various sandbox limitations in Internet Explorer and Firefox, have been neutralised by a buggy browser plugin.
Reports from SophosLabs suggest that this zero-day has been seen in poisoned HTML adverts that were used to deliver an exploit kit called HanJuan.
→ Sophos products block the main HanJuan exploit kit page as Mal/ExpJS-CA, and block various CVE-2015-0313 exploit files themselves as Troj/SWFExp-EM.
Understanding exploit kits
An exploit kit is a suite of cybercrime tools that can turn a web server into a launching pad for drive-by installs.
Merely visiting a poisoned web page is enough to throw a spanner in the works of an unpatched browser or plugin and gain remote control over your computer.
Generally speaking, exploit kits start out with an HTML file that loads what you might call an “exploit selector,” usually written in JavaScript.
This script tries to guess which vulnerabilities are most likely to work on your computer, based on browser version, available plugins, and other settings, and then lets rip one-by-one with specific exploits until one of the following happens:
- Nothing. (The best result.)
- Your browser crashes without any malware running. (Second best.)
- One of the exploit succeeds, and you are pwned.
Releasing new exploits
When new exploits are discovered, they can be added by the crooks into existing exploit kits.
But brand new exploits are not necessarily deployed immediately.
Releasing a previously-unused zero-day exploit obviously brings it into circulation, meaning that it can now be analysed and patched by the vendor of the software it attacks.
So, if the old exploits are still delivering good results, a crook might keep the 0-day up his sleeve a bit longer.
On the other hand, the longer he waits, the more likely it is that someone else will find the same vulnerability, which could mean that it gets patched first, and thus never gets a chance to be a true 0-day.
(Zero-day means that the exploit comes out before any patches are ready, thus giving even quick-on-the-draw sysadmins zero days to patch in advance.)
Adobe has started work on fixing the CVE-2015-0313 hole, and says that it “expects to release an update for Flash Player during the week of February 2, 2015.”
What to do?
Even a zero-day exploit is very often preventable with a good proactive anti-virus, by one or more of these interventions:
- Blocking the web sites used to host the relevant exploit kit.
- Blocking the HTML and JavaScript that sets up the playing field and chooses the exploit to try.
- Blocking the exploit itself (even zero-days are often detected proactively).
- Blocking any malicious activity that the exploit initiates.
Of course, by not allowing Flash in your browser at all, you will sidestep any cybercriminals who are using it as a malware infection vector.
Our Top Tips
So, here are our Top Three tips for dealing with Flash:
- Consider uninstalling the Flash player altogether if you don’t need it. As this exploit shows, one vulnerability in Flash can affect multiple browsers and operating systems.
- If you really do need Flash, use “Ask” or “Ask to Activate” mode. This helps you restrict Flash to sites where you know you need it, so an unknown, hacked site will not be able to run malicious Flash in your browser invisibly.
- Turn on HIPS if your anti-virus supports it. Host Intrusion Prevention Systems monitor system behaviour while you browse and will often detect exploit-like behaviour proactively, even if the details of the exploit are not yet known.
Seriously: if you haven’t yet tried living without Flash for a few days, why not do so now?
You can either turn off the Flash plugin in your browser, or uninstall the Flash player altogether.
If you find sites that simply won’t work without Flash, you can always turn it back on or reinstall.
You never know: you may find that everything you require on the internet, and most things you want, work just fine without Flash.
After all, it’s more than three years since Adobe pulled the plug on browser Flash on iOS and Android, and the wheels haven’t come of either of those platforms yet…
I have managed without Flash for almost a year without a problem.
The alternative? OK it is a bit more work:
Download the .swf file
Scan it with your Anti Virus
Load it into one one of the many converters available and watch in your favourite video software.
If we don’t have to keep patching Flash on a weekly basis, how is Adobe going to make money installing Mcafee’s PUPs on our computers?
You guys need to start thinking about Adobe’s needs.
Reguardless of what a companiyies product maybe, if they are out to make “MONEY”, they better get it right the first time. With so many updates Adobe has lost credibilty with the public and anything knew from Adobe will be met with skepticism.
No PUPs here…
http://www.adobe.com/products/flashplayer/distribution3.html
Isn’t there any other product to replace Flash Player that can be downloaded online? I am not computer literate and don’t know what/where is a .swf file. I don’t know what the many converts are. I uninstalled Flash Player. I’d sure like to play a simple game or two like mah johgg. I am currently using Firefox (or is it Foxfire?) and have Windows 8.1.
Many sites use Flash for graphical content like videos and games, for historical reasons. But modern browsers, including Firefox, can now do pretty much all that Flash used to do, right inside the browser. As a result, many sites also support you just fine if you don’t have Flash. (Over time, it’s reasonable to assume that sites that work fine with or without Flash will abandon Flash as redundant, and the amount of Flash out there will steadily decrease.)
A few sites haven’t adapted, and still insist on Flash, in which case you’re stuck, and you’ll need to find an alternative site instead.
The answer is simple, “Try ’em and see!”
Definitely ready to throw insecure technologies like Flash on the scrap heap, along with Java, but it’s very difficult to do so when so many sites rely on it.
What needs to be thrown on the scrap heap, is not Java the language (though I’m no fan of it), but Java in the browser. The Java plugin should not even be installed in your browser.
To be fair, Oracle’s default installation these days (at least on OS X) doesn’t turn it on in the browser. You have to turn it on in Java’s own System Prefs and *then* you get to fiddle with it in the browser.
I’ve done without Java for well over a year now and never missed it. I think you don’t need it unless you are at work.
I’m sick of upgrading Adobe Flash. I can’t help feeling that all these exploits are originating from the large hack where they had a lot of their source code stolen.
Considering their non-existent Firefox Android presence and their lacklustre Linux version, why don’t they just make it open source and be done with it?
Flash is nothing but a liability waiting to happen – roll HTML5 development.
I suspect the rash of vulnerabilities says more about the age of the code, the priorities of the company and how it tasked its developers over many years.
Software that’s been around as long as Flash is built up in layer upon layer. You don’t get security by default, you have to try hard to get it and keep trying hard to hold on to it. If it’s not there, in your process from the start, it can cause a lot of pain later on (IE, IIS, Adobe Reader, Java etc.)
Hello Mark, I think it’s time to take Ol’ Flash round the back and shoot it. I’ve literally just sourced version 16.0.0.305 and installed it to replace 16.0.0.296 which is less than one week old only to find that this is out of date as well!
There is a new version 17,0,0,93 but I wouldn’t hold your breath because by the time I’m finished typing this they may already be on version 18!!!???
Adobe, what are you doing????
Paul, if you are reading this you might want to change the title to 3 and a half times lucky!
Agreed, quick and painless. If not for the security benefits, just for that soothing sensation in your ears when your laptop fan winds back down from 3,000rpm.
Hahahaha. I misread that as “laptop fan wind”, the name given to the Flash of AIR that billows from the vents when your CPU and GPU are busy 🙂
It’s kinda ironic that a week from today is February’s Patch Tuesday anyway… so there will likely be ANOTHER one then. One per week for 5 weeks straight!
Consistency. Could be considered a feature 🙂
To be fair, you have to give Adobe credit for getting on with it and publishing fixes quickly.
True… but if they didn’t make such a vulnerability-ridden product in the first place…!
I would be a great help if FaceBook would move away from Flash, or at least offer a HTML5 option for those of us who are running a browser without Flash.
Even these days, there are many old or under-supported sites bound to flash. I tried to download an audioguide from my city (a city that was awarded a European Union prize for its website) and it required me to have a flash player –that meant I had to hack my mobile browser. Why do they use flash — because it is nice. Aesthetics suck!
would MS EMET be any help against it?
Not sure yet. Turning off Flash would *definitely* work, though 🙂 And using Ask-to-Activate is close to as good. At least, it prevents unexpected surprises.
The other neat thing about Ask-to-Activate is that quite a few sites seem to produce that warning and then work anyway. And that may help to decide just how necessary Flash really is in your browser.
I have a feeling that quite a few people cling to Flash because of the the fact that many sites use it if they can. But that is not the same as sites that *need* it…
Hmm. See my comment below. At least in my latest attempts on YouTube, I get the result I want (HTML5 from the outset) by choosing “Never Activate” for Flash in Firefox, but not with “Ask to Activate.. “
After reading this article and the article that YouTube now uses HTML5 I turned off Flash in Firefox. Every website I went to after, including YouTube would not show any video unless I activated Flash. Most others were Canadian TV network sites where I watch episodes of TV programs.
Is there something else I’m supposed to do/change to be able to use the HTML5 instead of Adobe Flash?
I’m no computer expert, just a decades long user. Members of a chat group I belong to look to me to find solutions for their computer problems and they all report problems with Flash.
I’ve found that if I set “Ask to Activate,” then YouTube will wait for me to say “Allow.” I can say “Continue Blocking” but then the video will indeed be blocked. (No fallback to HTML5.)
But if I set Flash in Firefox to “Never Activate,” it’s as though I don’t have Flash installed and YT videos play just fine.
Tried that Paul, You Tube videos work but none of the TV episodes will play. A couple of sites put up a message telling me I needed flash installed. Most did nothing just showing the circle forever turning and nothing was downloaded. I guess we Canadians will have to wait longer for the switch to HTML5 video viewing on most sites.
The downloadable form of 16.0.0.305 is available now:
https://helpx.adobe.com/security/products/flash-player/apsb15-04.html
Thanks…I’m updating the article to note that the update’s shipped. Not too shabby on Adobe’s part.
Done.
So, if this is on my computer, how in the world do I get rid of it?
I’m running Windows 8.1 (64 bit) with Norton Internet Security. Both have the latest updates. Also have Malwarebytes installed. Ran scans with both programs. Neither is finding this virus.
What really burns me is that after 4, yes 4, clean installs with drive formatting each time, I cannot get rid of this virus. During each install, I never visited any website. Just made the updates from within windows update and Norton update.
Is it possible that this virus could be hidden on my other drive partitions? Through process of elimination, I surmise that the virus is either on one of the factory partitions on my C drive or my router is somehow infected. I also tried a direct plugin to the DSL modem and still no luck.
I also have other hard drives – two which I reformatted. The third drive is a data drive.
Any help is greatly appreciated.
When you say “virus,” how do you know there’s malware on your system? What are the symptoms? It’s hard to work out what’s happening, let alone what might have caused it, without some indication of why you’re suspicious…