Wednesday, October 14, 2015

Zero-day Exploit In-The-Wild


[UPDATE: Adobe has provided a Security Bulletin regarding this zero-day exploit. As of yet there is NO replacement for Flash. So follow the instructions from Adobe linked below in order to remain safe. A patched version of Flash/AIR is promised for the week of October 19th.

The new Adobe Security Bulletin is available HERE.

A critical vulnerability (CVE-2015-7645) has been identified in Adobe Flash Player and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of a report that an exploit for this vulnerability is being used in limited, targeted attacks.  Adobe expects to make an update available during the week of October 19.   
Keep in mind that the affected versions of Flash are ALSO integrated into Adobe AIR. Therefore, be certain to delete/update them BOTH.

As for Adobe Shockwave: It ALSO integrates Flash! My personal advice is to trash Shockwave and never re-install it again. It's essentially dead on the Internet at this point. Unless you run into something, somehow requiring Shockwave, just keep it OUT of your /Library/Internet Plug-ins/ folder forever more.

I'll post further as this situation evolves.

:-Derek ]
~ ~ ~ ~ ~

What happened:

New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries
- October 13, 2015 at 11:57 am, Trend Micro
Trend Micro researchers have discovered that the attackers behind Pawn Storm are using a new Adobe Flash zero-day exploit in their latest campaign. Pawn Storm is a long-running cyber-espionage campaign known for its high-profile targets and usage of the first Java zero-day we’ve seen in the last couple of years. The affected vulnerability has since been assigned the CVE number CVE-2015-7645. . . .
New Flash flaw lets you beat White House and NATO security
Flaw flings phish Pawn Storm gang tried to get past the great and the good
- 14 Oct 2015 at 05:18 GMT, Richard Chirgwin, The Register 
Trend's analysts reckon the zero-day works on Adobe Flash Player versions and, the latter meaning the vulnerability is present in the most current version of the hopefully-soon-to-be-lamented piece of bugware.

The company emphasises that just because other versions aren't listed doesn't mean they're not vulnerable.

Phishing messages sent to “several ministries of foreign affairs” have links to exploit sites, the company says, warning people to look out for the following subject lines:

  • Suicide car bomb targets NATO troop convoy Kabul
  • Syrian troops make gains as Putin defends air strikes
  • Israel launches airstrikes on targets in Gaza
  • Russia warns of response to reported US nuke buildup in Turkey, Europe
  • US military reports 75 US-trained rebels return Syria
The URLs involved in the latest exploit are, Trend says, similar to those Pawn Storm tried against NATO and the White House in April. ®
Note that yesterday's NEW version of Flash is affected, that being Flash v19.0.0.207. Therefore, AIR v19.0.0.213 is also affected.

Also note: It is possible to run non-Internet downloaded Flash and AIR content without worry. But be wary of using either on anything from the Internet.

It's going to be interesting how Apple responds to this situation. They're going to, at long last, have to deactivate Flash on all supported versions of OS X, with NO safe version to replace it. Steve Jobs must by laughing in the aether.

No doubt, Adobe is scrambling today to get out another patched version of Flash to replace their dangerous current version. What a mess.

Uninstall instructions from Adobe:

Uninstall Flash Player | Mac OS

Removing Adobe AIR

After uninstalling Flash and AIR, RESTART your running web browsers,

Please do this RIGHT NOW. If you have more than one Mac, be certain to dump Flash and AIR there as well. 

Keep an eye out for Adobe's next update, or dump Flash and AIR entirely.



No comments:

Post a Comment