Malware: Attackers are exploiting a flaw in Flash Player

Post Reply
User avatar
Nutso
2 Star Admiral
2 Star Admiral
Posts: 9614
Joined: Tue Apr 22, 2008 9:58 pm

Malware: Attackers are exploiting a flaw in Flash Player

Post by Nutso »

https://krebsonsecurity.com/2015/01/fla ... y-exploit/
The writer put some useful links in his article if you want to check if your flash player is up-to-date or protect your Windows PC a little bit better.

Also
FYI, be careful when you update Flash, as Adobe has a NASTY habit of trying to make you install other software (Chrome, McAfee, etc) during the install. Unclick everything you don't need, and just don't click through the screens!!! (good advice for any Windows install!!!)
Jan 15
Flash Patch Targets Zero-Day Exploit

Adobe today released an important security update for its Flash Player software that fixes a vulnerability which is already being exploited in active attacks. Compounding the threat, the company said it is investigating reports that crooks may have developed a separate exploit that gets around the protections in this latest update.

brokenflash-aEarly indicators of a Flash zero-day vulnerability came this week in a blog post by Kafeine, a noted security researcher who keeps close tabs on new innovations in “exploit kits.” Often called exploit packs — exploit kits are automated software tools that help thieves booby-trap hacked sites to deploy malicious code.

Kafeine wrote that a popular crimeware package called the Angler Exploit Kit was targeting previously undocumented vulnerability in Flash that appears to work against many different combinations of the Internet Explorer browser on Microsoft Windows systems.

Attackers may be targeting Windows and IE users for now, but the vulnerability fixed by this update also exists in versions of Flash that run on Mac and Linux as well. The Flash update brings the media player to version 16.0.0.287 on Mac and Windows systems, and 11.2.202.438 on Linux.

While Flash users should definitely update as soon as possible, there are indications that this fix may not plug all of the holes in Flash for which attackers have developed exploits. In a statement released along with the Flash update today, Adobe said its patch addresses a newly discovered vulnerability that is being actively exploited, but that there appears to be another active attack this patch doesn’t address.

“Adobe is aware of reports that an exploit for CVE-2015-0310 exists in the wild, which is being used in attacks against older versions of Flash Player,” Adobe said. “Additionally, we are investigating reports that a separate exploit for Flash Player 16.0.0.287 and earlier also exists in the wild.”

To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash, although as of this writing it seems that the latest version of Chrome (40.0.2214.91) is still running v. 16.0.0.257.

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

I am looking forward to day in which far fewer sites require Flash Player to view content, and instead rely on HTML5 for rendering video content. For now, it’s probably impractical for most users to remove Flash altogether, but there are in-between options to limit automatic rendering of Flash content in the browser. My favorite is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. With click-to-play, users who wish to view the blocked content need only click the boxes to enable Flash content inside of them (click-to-play also blocks Java applets from loading by default).

Windows users also should take full advantage of the Enhanced Mitigation Experience Toolkit (EMET), a free tool from Microsoft that can help Windows users beef up the security of third-party applications.

Update 11:05 p.m. ET: Adobe just issued a bulletin confirming that this latest patch does not protect Flash users against all current, active attacks. The company says it plans to release an update the week of Jan. 26 to address this other security issue.
"Bible, Wrath of Khan, what's the difference?"
Stan - South Park
Captain Picard's Hair
Rear Admiral
Rear Admiral
Posts: 4042
Joined: Thu Nov 29, 2007 3:58 am
Location: Right here.

Re: Malware: Attackers are exploiting a flaw in Flash Player

Post by Captain Picard's Hair »

Flash is updated once a month nowadays (synchronized with monthly Windows updates), mostly with security fixes. With Windows 8/8.1 the IE version of flash is updated through Windows update. Every now and then there's a flash emergency like this which requires an immediate update. In fact just today another one is out, just a week after the one Nutso reports.

http://arstechnica.com/security/2015/01 ... day-patch/

Browsers and the internet are evolving into a more modern form which does what flash does without the need for a plugin (google "HTML 5") but while flash is still relevant flash security updates are a fact of life. Modern computer security isn't easy.
"If you can't take a little bloody nose, maybe you ought to go back home and crawl under your bed. It's not safe out here. It's wonderous, with treasures to satiate desires both subtle and gross... but it's not for the timid." Q, Q Who
Post Reply