Adobe’s Flash technology is widely used all across the web to create animations, games and other “rich content”, but that also makes it a favorite target of attackers, and Adobe’s security record has been less than stellar; it sometimes seems as if every other week brings another tale of a new vulnerability in Flash.
Security has been such a concern that in 2010, Apple refused to support Flash on the iOS operating system, well-known security researcher Charlie Miller recommended not installing Flash, and even the US-CERT (Computer Emergency Response Team) encouraged the blocking of Flash.
This week, Flash is in the news again, with reports of a new zero day vulnerability in Flash Player being exploited with the help of an exploit kit called Angler. Exploit kits are particularly disquieting because they make it easy for anyone, without a high level of programming skill, to launch malicious attacks. Exploit kits are becoming a “tool of the trade” for cyber criminals without the requisite technical skills to do it themselves, or those who are just lazy and in a hurry.
Like all exploit kits, Angler comes with packaged, pre-written malicious code and can be purchased or passed around between friendly hackers to spread malware and take advantage of software vulnerabilities in popular products. Angler includes multiple exploits that work on different vulnerabilities. Back in September, Angler was reported to be using a new method of injecting malicious code directly into running processes.
The Flash exploit that’s included in the recent version of Angler has a wide-reaching impact because it works on many different versions of Internet Explorer running on operating systems ranging from XP to Window 8. Those who are still running Windows XP are at high risk since that operating system has reached end of support and no longer gets security updates.
The good news is that Windows 8.1 doesn’t appear to be at risk at this time, nor is the Chrome web browser. The bad news is that the exploit kit is updated from time to time, adding new exploit and new capabilities.
Angler uses “drive-by downloads” – the downloading of the malware to a computer without the consent or knowledge of the user when the user visits a web site. The web site itself may be maliciously crafted by the malware authors or it may be a legitimate site that the attacker has been able to compromise by uploading malicious code.
In this case, the attackers are apparently using the exploit to create a botnet, turning the computers that become infected with the malware into “zombies” that can be controlled by the attackers, with the intent apparently to distribute malware to create fraudulent ad clicks. It’s using a malware package called Bedep to distribute the advertising malware.
The researcher who discovered this exploit in Angler has reported the problem to Adobe, but a patch has not yet been issued to fix the flaw, thus resulting in the “zero day” condition. Adobe has announced that they are investigating the issue. The best way to effectively protect against it until they do release an update is to disable Flash Player. To disable Flash in Internet Explorer, select Manage Add-ons from the settings (gear icon) menu, change the view to “all add-ons,” find the Flash component and click the Disable button.
Admins can also disable Flash through Group Policy, in User Configuration | Administrative Templates | Windows Components | Internet Explorer | Security Features | Add-on Management -> Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects.”
Patch Central is GFI’s source of in-depth information about patching, vulnerabilities and the latest security commentary. If you want a better understanding of patching and patch management, you can get more information here. If you are an experienced sysadmin, you can download a free trial GFI LanGuard for 30 days.