Exploit kit authors are nothing if not opportunistic, and they know a prime opportunity when they see one. Adobe Flash bugs fit that description nicely, and the people behind the Angler exploit kit already are exploiting one of the Flash bugs patched last week in the kit’s arsenal.
This is a common tactic for exploit kit authors, who are in the business of getting the most useful exploits available at the moment into their kits. Angler is just one of the many such exploit kits available to attackers, but the creators of this one seem to be especially quick about adding exploits for new vulnerabilities to the kit. In October, a week after Adobe released its monthly patch update, researchers saw Angler exploiting an integer overflow in Flash that had just been patched.
“This is really, really fast,” Kafeine, a French security researcher who identified the attack at the time, said. “The best I remember was maybe three weeks in February 2014.”
Now, Kafeine said he already has seen Angler exploiting a Flash vulnerability that was patched Nov. 11 in Adobe’s November update release. This vulnerability is CVE-2014-8440, a memory corruption flaw in Flash that can allow an attacker to take control of a target system. The bug exists in Flash on multiple platforms, including Windows, OS X and Linux, and Kafeine said it is getting its share of attention from attackers.
“The vulnerability is being exploited in blind mass attack. No doubt about it : the team behind Angler is really good at what it does,” he said in a blog post.
Flash is one of the key applications that attackers of all stripes target. Exploit kit creators especially love Flash vulnerabilities, thanks to the application’s huge install base. The target volume for attackers is potentially massive, especially for users who don’t update immediately. The patch has only been available for a week, so anyone who hasn’t had time to install it is a prime target for Angler’s creators.
Kafeine said via email that the new Flash CVE-2014-8440 exploit doesn’t seem to be in all of the Angler threads yet, but is in one that is mainly focused on spreading ad fraud malware.