Monday, February 2, 2015

CRITICAL Adobe Flash FAIL Yet-Again:
Third Zero-Day Attack ITW In Three Weeks

--

[UPDATE 3: Adobe's patched version of Flash Player, v16.0.0.305, is now universally available. I added the link and summary text of their relevant security document below. Apple also updated XProtect to prevent use of earlier, vulnerable versions of Flash Player. Thank you Apple! 

And there is peace again across our land for at least this day. But the wary eye remains ever vigilant.

Update 2: Adobe Flash Player v16.0.0.305 is now available directly from Adobe's website:

https://get.adobe.com/flashplayer/

Please download and install now in order to avoid the ongoing exploit of previous versions of Flash.

Update 1: Adobe updated their related security statement on Wednesday:

(February 4): Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.305 beginning on February 4. This version includes a fix for CVE-2015-0313. Adobe expects to have an update available for manual download on February 5, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11.
]

~ ~ ~ ~ ~


There is an exploit of older versions of Adobe Flash Player active in-the-wild (ITW). Adobe has now provided Flash Player version v16.0.0.305 at its website, as noted in the updates above. P
lease download and install the update ASAP! 

My pal and collaborator Al V notes that Apple has updated their XProtect system in OS X to disable exploited/vulnerable versions of Flash Player, those being earlier than 16.0.0.305 and 13.0.0.269.


• Here is Adobe's full security bulletin about the zero-day and update:

https://helpx.adobe.com/security/products/flash-player/apsb15-04.html
Summary

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux.  These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.  

Adobe is aware of reports that CVE-2015-0313 is actively being exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.  Adobe recommends users update their product installations to the latest versions: 

Users of the Adobe Flash Player desktop runtime for Windows and Macintosh should update to Adobe Flash Player 16.0.0.305

Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.269. 

Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.442. 

Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, will automatically update to version 16.0.0.305.
• Here is Adobe's earlier alert about the zero-day exploit:

https://helpx.adobe.com/security/products/flash-player/apsa15-02.html
Summary

A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh.  Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.  We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.

Adobe expects to release an update for Flash Player during the week of February 2.
A relevant article on the attack over at Forbes:

Hackers Abuse Another Adobe Zero-Day To Attack Thousands Of Web Users
Visitors to any affected site would have been redirected to an attacker-controlled page where an exploit kit would attempt to compromise the target system by targeting the Adobe Flash zero-day.
My brief advice:

Have a Flash blocking add-on in ALL your web browsers. ALL.

Safari has it's own Flash blocking system which you can reach in its Preferences here:

1) Preferenced: Security: Manage Website Settings... (button):

2) On the left of the pane, choose 'Adobe Flash Player'.

3) On the resulting right side:

- a) REMOVE all 'Configured Websites' using the minus (-) button.

- b) Set 'When visiting other websites' to 'Block' using the popup menu.

This setting forces Safari to put up a 'blocked' notice. You can then click that notice to approve each individual website you visit. Just remember that at this point some very prominent, usually safe websites are being compromised with this zero-day. Be extremely careful what you unblock.

OR: Just UNINSTALL nasty Flash. POS.


--

ADDENDUM:

Snarky The Register posted a fun and poignant article on the subject:

According to Trend Micro, the Angler exploit kit was updated to leverage this particular flaw, and used to inject malware into PCs visiting web video site dailymotion.com via a dodgy ad network. 
Web browsers were told to fetch retilio.com/skillt.swf, which was booby-trapped to exploit the zero-day security hole. 
"So far we’ve seen around 3,294 hits related to the exploit, and with an attack already seen in the wild, it’s likely there are other attacks leveraging this zero-day, posing a great risk of system compromise to unprotected systems," said Peter Pi, threats analyst at Trend. . . .
The worst, very worst, part of it all is that Steve Jobs was right. ® 
(^_^)