Thursday, January 22, 2015

Critical:
Adobe Flash Zero-Day Exploit ITW
Shut Down Flash Plug-In NOW

--
[UPDATES:
-- Saturday, January 24, Adobe provided yet-another NEW update to Flash Player v16.0.0.296. I'm providing a new article specifically pointing out how to check for it and install it while we wait for Adobe to make it available on their website, the lazy so-and-sos!

v160.0.0296

All other versions are being exploited in the wild. Get rid of them now. Or just get rid of Flash altogether.

- - Today Adobe has released a very swift NEW update to Flash Player v16.0.0.287. It patches CVE-2015-0310. At the moment it is unclear whether this is the specific zero-day vulnerability that was reported. I'll keep my ear to the ground as details appear. In the meantime: UPDATE NOW to Adobe Flash Player v16.0.9.287, available here:

https://get.adobe.com/flashplayer/

Here is Adobe's NEW security bulletin for this update:

http://helpx.adobe.com/security/products/flash-player/apsb15-02.html

Again: Update NOW! In the meantime, please lock down your Macs against Flash security exploits using the information provided below.]

~ ~ ~ ~ ~

The recently updated version of the Adobe Flash Player internet plug-in (v16.0.0.257) is being exploited in the wild (ITW). It is important to disable Flash NOW. I discuss some methods below.

Here is an article about the current situation from Dan Goodin at Ars Technica:

Attack for Flash 0day goes live in popular exploit kit
Attack exploiting fully updated Flash installs Bedep botnet.
If you've been meaning to disable Adobe Flash, now might be a good time. Attacks exploiting a critical vulnerability in the latest version of the animation software have been added to a popular exploitation kit, researchers confirmed. Attackers often buy the kits to spare the hassle of writing their own weaponized exploits. . . . 
Adobe officials say only that they're investigating the reports. Until there's a patch, it makes sense to minimize use of Flash when possible. AV software from Malwarebytes and others can also block Angler attacks.
How to disable Adobe Flash Player plug-in:

I. The most direct and permanent way to stop Flash is to trash the Internet plug-in from your OS X system. You'll need to be using administrator privileges. The plug-in will be found here:

~/Library/Internet Plug-Ins/Flash Player.plugin

(You don't have to, but can also trash flashplayer.xpt found in the same location).

After it is removed, you'll need to restart your web browser to remove the plug-in from its memory.


II. Some web browsers allow some control over Internet plug-ins. I'll cover Apple's Safari web browser here as an example:

- A. In Safari, go to the menu item Safari/Preferences.../Security and note the last checkbox titled "Internet plug-ins:". You can be drastic and simply UNcheck 'Allow Plug-ins' and you're safe. But alternatively, you can click the button "Manage Website Settings..." and work with the "Adobe Flash Player" settings. 

- B. First click on "Adobe Flash Player" then move over to the right in the window. There you'll see a list of 'Currently Open Websites' using Flash. 

- - 1. If any of these websites are trusted an important to you, use the popup menu to their right and set them to "Ask".

- - 2. For websites NOT important to you, highlight them one at a time and remove them using the minus sign button at the bottom left of the sub-window.

- C. Go to the bottom right of this same window and notice the setting "When visiting other websites:".  You can also change its popup menu to "Ask". But the safest setting, until Adobe block this exploit, is 'Block'. That's what I'm using.

- D. Click 'Done' in the Security window when finished.




III. There are many Flash blocking add-ons/extensions for web browsers. Here are a few I use:

Safari: ClickToFlash
Firefox: FlashStopper (this works much better with the latest versions of Firefox than Flashblock).
Chromium (and variants thereof): FlashControl.

Be sure to check now whether these add-ons are actually set to 'block' flash. You don't want them set to 'allow' Flash.

That's a quick summary of how to stop being botted by Flash while this and similar crises are ongoing.

I've got a somewhat busy day on my end today. But when I have time, I'll post more about this situation in 'Updates' at the top of the page.

:-Derek

--

5 comments:

  1. Although I still support Mac users needing to update Flash Player ASAP, all the exploits I've been able to learn of (and there were at least three) involved Windows only.

    ReplyDelete
  2. Hi Al! Typically the security hole is cross platform. The exploits are first written for Windows victims as they are still (sadly) the fattest target. Then the exploits are written for other platforms, OS X being #1. There are piles of exploit kits around. OS X was at one time a victim of the Blackhole Exploit Kit. (Recall the BlackHoleRAT.A-C, aka MusMinim malware, now inert). The current Flash exploit is published in the Angler Exploit Kit.

    Here's an article from last December covering several current exploit kits. Note that his list is not complete. He left out at least one critical OS X exploit kit, which shall not be named:

    http://contagiodump.blogspot.com/2010/06/overview-of-exploit-packs-update.html

    ReplyDelete
  3. An update to Flash Player 16.0.0.296 is now available via your System Preferences, but will not be available for download from any adobe site until next week. See the "Update" to this bulletin http://helpx.adobe.com/security/products/flash-player/apsa15-01.html

    ReplyDelete
    Replies
    1. Verified!

      How to get the update
      Go to:
      System Preferences/Flash Player/Advanced
      - - Click the 'Check Now' button under 'Updates'. That will start the process. You should end up with v16.0.0.296 installed in your 'Internet Plug-ins' folder.

      From the bulletin Al noted above:

      "UPDATE (January 24): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11."

      NOTE: This is for yet another CVE beyond what was patched in v16.0.0.287 (which wasCVE-2015-3010).

      Delete
  4. Adobe seems to be back to normal with the updates available in all the usual places. The latest security bulletin is at http://helpx.adobe.com/security/products/flash-player/apsb15-03.html.

    XProtect has been updated to disable all versions prior to Flash Player 16.0.0.296 and 13.0.0.264. If you have elected to Install system data files and security updates automatically in App Store preferences, then you should receive an updated version within 24 hours.

    ReplyDelete