Exploit Kits taking advantage of Adobe Flash Vulnerabilities..

Today we will be taking a look at some of the recent security issues Adobe has been including Adobe’s recently-issued security advisory APSA15-02

Summary

A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh.  Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.  We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below. 

Most people are aware of the security risks of running plugins like Java and Adobe Flash in their browser so it comes as no surprise when we see criminals using vulnerabilities in these plugins along with exploit kits such as Angler and malvertising schemes to further their illegal activity. Adobe announced a 0-day vulnerability in Adobe Flash Player version 16.0.0.296 delivered by an exploit kit called HanJuan. The vulnerability is caused by a bug in how Flash handles the FlashCC ”fast memory access” feature (domainMemory), when the last is used by flash Workers (flash threads). So this attack per TrendMicro was delivered through malicious advertisements served in popular websites like Dailymotion, Wowhead, Answers.com and redirected to multiple sites that ended up leading to the URL “hxxp://www.retilio.com/skillt.swf”.

Recently the Angler Flash zero day (CVE-2015-0311) was discovered by a French researcher named Kafeine . We have also seen other exploit kits besides for Angler like RIG and Nuclear Pack taking advantage of CVE-2015-0311.

Cisco has reported that 1,800 domains have been compromised using Angler and have been associated with exploits and the landing page. We have also seen Flash zero day exploit code in Angler that was installing click-fraud malware called Bedep and using that as a dropper to be used to install malicious files. We are also seeing that this exploit code was hidden among several layers of obfuscation to avoid detection.

So exploit kits are dangerous since they have the ability to turn web servers into a launching pad for drive-by installs. In most instances simply visiting one of these web pages that have been poisoned can result in remote control of your computer through an unpatched plugin or browser. Flash is an attractive target since it uses local storage to cache files and has the ability to send and receive data to remote targets which makes this exploit extremely dangerous. Flash cookies can be an appealing target since these can have credentials among other sensitive information in these data stores. You can view information from Shared Objects on the file system in the following locations. For Mac you can go to Library/Preferences/Macromedia/Flash Player/#SharedObjects folder that exists in your Home directory and on Windows the files exist in C:\Documents and Settings\[Username]\Application Data\Macromedia\Flash Player. My advice would be if you must use Flash and JVM plugins use whitelisting otherwise disable or uninstall them altogether. HTML5 flash is also another alternative in place of Adobe Flash.