Adobe on Saturday began patching a zero-day vulnerability in Flash Player, exploits for which have been included in the notorious Angler Exploit Kit. This is the second of two previously unreported critical flaws in the software that have been patched in the last five days.
Adobe last Thursday sent out an emergency patch for another zero-day under attack for a vulnerability that could be used to defeat memory protections on Windows machines.
The second vulnerability, CVE-2015-0311, was reported by French researcher Kafeine, known for his work studying exploit kits and malware used in cybercrime and targeted attacks. The flaw affects Adobe Flash versions 220.127.116.117 and earlier on Windows and Mac OS X machines. Adobe said it is aware of active exploits via drive-buy download attacks against Windows 8.1 and earlier machines running IE or Firefox.
“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said in an advisory.
On Saturday, Adobe released the patch for users who have enabled auto-update for Flash Player desktop runtime. Those users began getting the fix via version 18.104.22.1686.
“Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11,” Adobe said.
As of this morning, a manual download is still not available from Adobe.
“As a matter of fact, Adobe still lists 22.214.171.1247 as the most recent version,” said Johannes Ullrich of the SANS Internet Storm Center. “You can download 126.96.36.1996 if you manually check for updates using Flash.”
The inclusion of CVE-2015-0311 in the Angler Exploit Kit is worrisome because that could increases the odds vulnerable machines would be attacked before the availability of a patch. Kafeine said only some instances of the exploit kit, however, contain the exploit.
Last Thursday, Kafeine said on Twitter that the group behind Angler had changed the code to exploit Firefox as well as fully patched IE 11 on Windows 8.1. The Flash zero-day exploit is being used to install a version of the Bedep malware, which is used in ad fraud campaigns.
One last bad news : Windows 8.1 Internet Explorer 11 fully updated is now owned as well. pic.twitter.com/TgIMVoXliU
— Kafeine (@kafeine) January 22, 2015
Researchers at Cisco, meanwhile, said that security engineers should expect this trend of Flash zero days finding their way into exploit to continue.
“The group is incorporating these exploits into the Angler EK before the bugs are publicized,” researchers Nick Biasini, Earl Carter and Jaeson Schultz wrote in a report published on Friday. “Considering these 0-day exploits are being used alongside one of Angler’s preferred methods of distribution, malvertising, thus intensifying the potential for large-scale compromise.”
Cisco said its data shows the Angler exploit for Flash is targeting only IE and Firefox, and that Chrome is being served only other exploits. The researchers report a spike in Angler attacks starting Jan. 20.
Adobe released the patch for users who have enabled auto-update for Flash Player desktop runtime.Tweet
“Although this spike showed an increase in Angler related attacks, these attacks represent a small minority of the overall attack traffic. Based on our telemetry data we have seen domains associated with a single registrar being primarily responsible for the exploits being delivered,” the Cisco report said. “The approach appears to be rapid domain registration and exploitation with quick rotation of domains. Despite the rapid use of domains the IP’s associated with the attacks have been limited to two primary addresses (46[.]105.251.7 & 94[.]23.247.180).”
The domains, Cisco said, are used only for 24 hours and that the attackers continue to register new domains daily.