Researcher discovers 'critical' new Adobe Flash zero-day

A widely-used exploit kit called 'Angler' has apparently been used to target a new zero-day affecting the latest versions of Adobe's Flash Player.

Researcher discovers 'critical' new Adobe Flash zero-day
Researcher discovers 'critical' new Adobe Flash zero-day

Malware security researcher ‘Kafeine' came to this conclusion late on Wednesday when he detailed on his ‘Malware don't need coffee' blog on how Angler was sending payloads to target three separate flaws in Flash Player. Two of these were known and patched, but one was an unpatched vulnerability or zero-day.

These payloads (referred to as ‘bullets' by the researcher) were embedded into Flash Player SWF file extensions, allowing the cyber-criminals behind the exploit kit to execute several actions on infected computers, such as downloading and launching malware.

“Disabling Flash player for some days might be a good idea,” wrote Kafeine on his blog, one he plans to update “heavily” in the coming days.

As far as targets go, the zero-day is being actively exploited to hit Windows XP machines and Internet Explorer (IE) versions 6 to 9, as well as the latest version of Flash (16.0.0.257). Windows 7, IE8 and older versions of Flash are also under threat, as is IE10 on Windows 8. Google's Chrome browser and a fully-patched Windows 8.1 are safe due to their use of sandboxing technologies.

Speaking to SCMagazineUK.com shortly the news broke, Kafeine noted that this was a ‘widely-used' and ‘expensive' exploit kit – albeit one that is less often used than the likes of Neutrino and Nuclear Pack.

He added that this was a ‘blind attack' and thus not targeted, saying that Windows XP is “obviously” most at risk. “But the problem relies in Flash Player. Windows 7 and Windows 8 are also dangerous,” he said via email.

“Disable Flash player and wait for an update. I think some security products with anti-exploit technology embedded should be able to stop it.

Angler is used by various cyber-criminal groups, and mainly as a hook into infecting a victim's machine with malware such as Trojans and keystroke loggers. The exploit kit contains code that can exploit vulnerabilities in web-facing software, including browser plug-ins which are often a way into a victim's computer.

In this example, Kafeine says that the exploit kit drops the Bedep Trojan, which can be used to download other malware (including remote access programs) or for malvertising and denial-of-service (DoS) attacks.

This is not the first time the French researcher has seen Angler targeting Flash in recent months; in October, just a week after Adobe's monthly Patch Tuesday update, Kafeine saw Angler exploiting a integer overflow in Flash that had been patched and one month on the kit was used to exploit CVE-2014-8440, a memory corruption flaw that potentially allowed attackers to take control of a target system (Windows, OS X and Linux)..

Pedro Bustamante, director of special projects at Malwarebytes – saw his company's free anti-exploit tool stop the attack in its tracks, he said via email.

“The zero-day vulnerability in Flash Player, as discovered by Kafeine, could provide a big security risk for internet users, effectively opening an unguarded window onto PCs worldwide. The fact that it has seemingly been integrated into the Angler Exploit Kit shows that criminals are keen to use it to target people and businesses en-masse.  Using a delivery mechanism such as Angler increases the chance of successful infections, allowing for accurate attacks through infected adverts on high traffic websites.” 

“The danger of any zero-day is that there is no patch in existence, so I would recommend caution from web-users until a confirmation and update is issued.”

Symantec later confirmed that it too had seen the malware sample and said that the vulnerability is ‘critical' because “Adobe Flash Player is widely used and the flaw allows an attacker to effectively compromise a host, which then allows for the unauthorised installation of malware.”

The anti-virus firm added that the SWF file used in the attack was the ‘Trojan.Swifi'.

Adobe is reportedly investigating the flaw.