Zero Day Alert: Flash Player vulnerability exploited

It’s probably smart to disable or remove your Flash player for at least the next few days. Malware don’t need coffee discovered an unpatched vulnerability (zero day attack) in Flash Player today that is being exploited by an attack tool called the Angler Exploit Kit. This attack could potentially harm many computers because it targets everyone who visits a website that contains malicious code and whose security software doesn’t block the malware.

Drive-by download attack: starts silently in the background

Exploit kits such as this one are malicious web applications that check if site visitors run outdated software on their computers and then exploit vulnerabilities in that software to install malware. They usually target popular applications that are accessible through browser plug-ins and toolbars, such as Java, Flash Player and Adobe Reader.

Exploit kits such as this one frequently use drive-by download attacks, which is a malware delivery technique that is triggered simply because the user visited a website. The attack usually happens silently in the background in a manner that is invisible to the website visitor. The user doesn’t have to take any conscious action steps to initiate the attack, just the act of viewing a web-page that harbors this malicious code is enough for the attack to run. The Angler Exploit Kit adds new exploits for known vulnerabilities to it’s arsenal constantly, with this one for Flash player as the most recent one.

How the Angler Exploit Kit attacks

The Angler Exploit Kit (often abbreviated to Angler EK) sends three different bullets targeting the Flash Player:

1. Their “standard” CVE-2014-8440 – cb89e2da32a672a2b2bfea5b41f45ad5
2. A new one (that is mentioned here) – 86ee0a34b6f9b57c732b1aa9f4c45575 which is striking Flash Player up to version 15.0.0.223
3. A third one, not used in all instances: this one exploits the last version (16.0.0.257) of Flash Player 2015

Exploited operating systems and browsers

Current versions of Windows (e.g. Window 8 + IE 10) appear to be vulnerable. At the time of posting (1/20/2015), it’s known that the following versions and browsers are vulnerable:

• Windows XP, Internet Explorer 6 to 8. Flash 16.0.0.257
• Windows 7, IE8 , Flash 16.0.0.257, UA : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
• Win 8 IE10 with Windows8-RT-KB3008925-x86 (Flash 16.0.0.235) , UA : Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)
• Win8 IE10 all updates (Flash 16.0.0.257)

Safe operating systems include Windows 8.1 (fully updated) as well as Google Chrome. No files have been infected yet.

What are zero day exploits again? 

Zero day flaws are the application vulnerabilities that nobody knows about until it’s too late. They’re the things like Heartbleed, or Shellshock, or more recently POODLE that allow hackers and attackers to execute malicious code on machines that aren’t theirs. They’re also the things like Sandworm and Operation Snowman: previously unknown entry points into a PC through end user software that allow malware writers to infect their victims in new and often unprotected ways.

Zero days are dangerous because once they are announced users literally have “zero days” to apply a patch. Once a zero day is made public, you can already assume it’s being exploited by cybercriminals in the wild. Learn more how they are created and discovered here.

Extra steps you can take for protection

To stay on the safe side it’s best to either remove or turn off your flash player in the next few days. This latest zero day is far from the first time Flash has been vulnerable to attack. Accordingly, many users choose to disable the plug-in entirely, and run it only when they need it and when they know they will be running it on a trusted website.

Make sure you have the most updated versions of your software and plugins, and have good security software installed. Emsisoft Anti-Malware provides 3 layers of protection. Layer 1 is called Web Protection, and it automatically protects you from malicious websites like the one used to exploit this latest Adobe Flash zero day. Layer 2 is a dual engine malware scanner, and it recognizes over 12 million threats and is updated in real time. Layer 3 is Behavior Blocking technology, and it is our innovation, which is powerful enough to identify any unregistered variant attempting to maliciously modify your computer.

UPDATE 1/22: Firefox is now vulnerable as well. Any version of Internet Explorer or Firefox with any version of Windows can get targeted if Flash up to 16.0.0.287 (included) is installed and enabled.

UPDATE 1/27: The vulnerability has been fixed with update Version 16.0.0.296.

Have a great (zero-free) day!