Last week, Adobe made the headlines again with a zero day vulnerability in their Flash Player software that affected Internet Explorer and the exploit for which is present in the Angler exploit kit. Over the weekend, they put out an update to fix a second such vulnerability; this one impacts both IE and Firefox when running on all currently supported versions of Microsoft’s Windows operating system.
According to Adobe, it also affects Flash Player running on earlier versions of Mac and Linux. Although some reports say that Google’s Chrome web browser doesn’t seem to be affected, Adobe’s statement said they will make the update available in Chrome and IE 10 and 11.
Like the first vulnerability, this one can be exploited using the Angler kit. This is identified as CVE-2015-0311 (the flaw that was fixed last week was labeled CVE-2015-0310) and it has been seen in the wild, with traffic utilizing it reportedly blocked by Cloud Web Security (CWS), according to security researchers at Cisco. Adobe reported drive-by download attacks against Window 8.1 and earlier systems.
Cisco’s Security blog published a post that lists domain names that were used by the group from which a majority of the exploits originated; however, most are used for only twenty-four hours and new domains are registered daily by this group. It’s obvious that this is an organized and coordinated attack effort that’s being perpetuated by clever attackers. The exploits in kits such as Angler are continuously being updated as software companies scramble to patch the holes they utilize.
Adobe’s Product Security Incident Response Team (PSIRT) released a security advisory about the new vulnerability on January 22. Then on January 24, they issued an update saying that the fix would be distributed via the auto-update mechanism in Flash Player beginning on January 24, and a manual download will become available during the week of January 26. To Adobe’s credit, they released the patch two days earlier than expected.
The researcher who discovered both last week’s patched Flash vulnerability and this one is known by the name of Kafeine. According to an article in Security Week online, Kafeine said that one of the components of the Windows Easy Transfer application, specifically migsetup.exe, is being used in this exploit to bypass the User Account Control (UAC) protections. There was some confusion at first regarding how the first vulnerability worked but that one ended up being a case of taking advantage of an unpatched memory leak, which then was used to get around the memory address randomization security feature in Windows.
The affected versions of Flash Player include:
Windows and Mac OS X: through 220.127.116.112 and 14.x, 15.x and 16.x through 18.104.22.1687
Linux: through 22.214.171.1248
Despite Adobe’s hard work to get the vulnerability patched as quickly as possible, many security experts still recommend that if you don’t really need Flash, it’s a best security practice to just uninstall it, due to its ongoing position as a favorite target of attackers. If you do need to have it installed, using the “Ask to activate” mode helps to restrict the use of Flash to only those sites where you really want to use it and helps prevent malicious or compromised web sites from running it without your knowledge.