Exploit For Patched Flash Vulnerability Already In Two Exploit Kits

A week-old Adobe Flash Player vulnerability has already been integrated into the Angler and Fiesta exploit kits, researcher Kafeine discovered.

Two notorious exploit kits are already seeding vulnerable websites with exploits for a Flash Player vulnerability that was patched in last week’s Adobe security bulletin.

French researcher Kafeine told Threatpost that the most likely scenario is that a skilled coder found a way to reverse-engineer the Adobe patch in order to build the exploit. Regardless, a week from patch to inclusion in an exploit kit—in this case the Angler and Fiesta EKs—is a harsh reminder of how quickly the window from vulnerability to exploit can slam shut.

“This is really, really fast,” Kafeine said. “The best I remember was maybe three weeks in February 2014.”

Kafeine was referring to CVE-2014-0497, another Flash exploit integrated into the Angler Exploit Kit that prompted an emergency patch from Adobe on Feb. 4. Those exploits were dropping a password-grabbing Trojan targeting Chinese email and social media accounts, likely from an isolated campaign, said researchers from Kaspersky Lab at the time.

Last week’s patch addressed an integer overflow vulnerability that could lead to code execution. An alert from Cisco said the bug is found in the casi32 implementation used by Flash.

“An unauthenticated, remote attacker could exploit this vulnerability by persuading a user to visit a malicious web page that contains crafted Flash content,” the advisory said. “If successful, the attacker could execute arbitrary code in the security context of the affected application. If the application is running with elevated privileges, this could result in a complete system compromise.”

Fiesta and Angler are among a menu of exploit kits available on underground forums and used in campaigns to own websites and redirect victims off to sites hosting banking malware and other types of malicious code. Most recently, malicious ads from online ad network AppNexus were found on heavily trafficked websites such as TMZ. The malvertising campaigns used exploits in the Angler kit to infect visitors with malware by redirecting them from the host site to a third-party site, where additional attacks were carried out.

In addition to Flash and Java exploits, Angler has also been spreading exploits for bugs in Microsoft Silverlight, a plug-in similar to Flash for streaming media. Silverlight is most well known for being used in the Netflix streaming service.

Angler and Fiesta are among the potential successors to the Blackhole Exploit Kit, which virtually disappeared after its creator, a Russian hacker known as Paunch, was arrested.

Suggested articles