Thanks to Andrew O’Donnell and Fraser Howard of SophosLabs for their behind-the-scenes work on this article.
Are you still using Flash in your browser?
If so, make certain you’ve got the latest update from Adobe, even though it only came out last week.
Ideally, you’ll have 126.96.36.199, announced in Adobe Security Bulletin APSB15-14, issued on 2015-06-23.
→ Windows and Mac users can optionally choose the Extended Support Release, which is an old version retrofitted with the latest necessary security fixes. That one is numbered 188.8.131.526. Linux users are stuck back on Flash 11, for which the current update is 184.108.40.2068.
Adobe still delivers its routine patches on Update Tuesday, the second Tuesday of every month, so last week’s patch was of the unexpected, emergency sort.
Targted attacks to start with
The bug that was fixed is designated CVE-2015-3133, and it is a remote code execution (RCE) bug that Adobe admitted was “being actively exploited in the wild via limited, targeted attacks.”
However, Adobe went on to temper that statement by adding, “Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets.”
Whether that’s because the threat mitigations in Windows 8 and above make this vulnerability too hard to exploit, or simply because the victims being targeted were known in advance to be running older versions of Windows, is not clear.
One thing is for sure, though: there’s still a lot of XP about.
The announcement that the US Navy just paid for a year of extended support for XP – more than a year after official support ended anyway – was a blunt reminder of that.
As colleague Chester Wisniewski pointed out [0’43”] in this week’s Chet Chat podcast:
After all the news of the breaches in all these different government agencies..., it was a little concerning to think that we're not down to the shortlist of the last 500 machines over here in the corner, but 100,000 [Navy computers] still running XP.
In fact, by some accounts, Windows XP is still more widely used worldwide than all versions of OS X out there, and only a shade behind Windows 8 and 8.1 combined.
Cybercrooks join the attacks
As documented by well-known independent malware researcher Kafeine, attack code using of the CVE-2015-3113 Flash bug has already been packaged by crooks into an exploit kit called Magnitude.
Exploit kits, don’t forget, are part of the “pay-per-install” ecosystem of modern crimeware.
Instead of battling to build a specific exploit into your own malware so you can attack unsuspecting users with a drive-by download, you just buy or rent access to an exploit kit (EK).
At that point, if you’re the crook, it’s up to you what you want the EK to deliver.
Weapon of choice
So far, it looks as though the malware of choice that’s pushed out by the crooks behind these attacks is ransomware of the Crypto Defense family.
Cryptoransomware, of course, is a particularly odious sort of malware that leaves your computer running fine, but scrambles your data files and then demands a fee for the decryption key to unlock them.
If you don’t have a backup, and the crooks have done their cryptographic programming correctly, then paying up is about the only way to see your files again.
What to do?
Prevention, obviously, is what you want, especially where the data-scrambling payload of ransomware is concerned.
Here are some tips:
- If you don’t need Flash, don’t install it at all. To find out if you actually need it, rather than assuming you need it, try living without it for a week or two. You may get a pleasant surprise.
- If you need Flash only occasionally, use click-to-play. That’s where your browser asks you every time whether you want to let a page use Flash. Or turn the Flash plugin off altogether except for the times you know you need it.
- If you have Flash, don’t lag behind on updates. Even automatic updates can take a while to turn up, becaue Adobe spreads the load randomly amongst its users. You can jump the queue by checking for updates manually.
- If you’re still running Windows XP, please don’t. Vulnerabilities that are really difficult for crooks to exploit on Windows 7 and later – as good as impossible, in fact – can often be still turned into working attacks against Windows XP.
- Don’t skip making backups. If you don’t have a good enough backup to recover from ransomware, you are at risk of any number of other potential data disasters, too. These include accidental deletion, a failed hard drive, and a lost or stolen laptop.
Free Virus Removal Tool
The Sophos Free Virus Removal Tool works alongside your existing anti-virus to find and get rid of any threats lurking on your computer.
Download and run it, wait for it to grab the very latest updates from Sophos, and then let it scan through memory and your hard disk. If it finds any threats, you can click a button to clean them up.
6 comments on “Latest Flash hole already exploited to deliver ransomware – update now!”
locating Flash and selecting click-to-play instructions would be helpful
Quick search popped up this.. http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-web-browser/
For the latest Firefox on Windows 7, click on the Firefox menu items Tools > Add-ons > Plug-ins > look for the “Shockwave Flash” plug-in, and then ensure the “Ask to Activate” option is set.
Adobe doesn’t exactly make it easy to determine what version of Flash player you are running. I’ll try to embed the URL for checking the version here, but it’ll probably be filtered out by this blog’s spam filtering – http://www.adobe.com/software/flash/about/
Not too sure on Windows but on OS X you can go to System Preferences | Flash Player and on the update tab it will show the version. You can then do a quick manual update check while you’re about it, in case 🙂
Note that if you have more than one browser on your computer you must update ALL of them separately. All windows computers have Internet Explorer but many of us have installed Firefox or Chrome or some other third party browser and use it as our primary browser. Even if you don’t use IE you must update it along with your primary browser to be secure.