Time to abandon Flash? Hit by zero-day once again

Security industry calls on organisations to ditch vulnerable browser plug-in as yet another zero-day flaw hits flash

Researcher discovers 'critical' new Adobe Flash zero-day
Researcher discovers 'critical' new Adobe Flash zero-day

Yet another vulnerability has been discovered in Adobe's Flash player, leading to calls by security experts to ban the plug-in from user's computers.

The flaw was discovered by IT security firm FireEye. Researchers at the firm said a Chinese hacker group, known as APT3, was behind the exploit and was using it to target victims in the aerospace and defence, construction and engineering, high tech, telecommunications, transportation industries. This would indicate that the gang was intent on stealing IP or engage in espionage.

The firm said in a blog posting that this group is “one of the more sophisticated threat groups that FireEye Threat Intelligence tracks, and they have a history of introducing new browser-based zero-day exploits (for example, Internet Explorer, Firefox, and Adobe Flash Player).”

"After successfully exploiting a target host, this group will quickly dump credentials, move laterally to additional hosts, and install custom backdoors. APT3's command and control (CnC) infrastructure is difficult to track, as there is little overlap across campaigns."

The flaw has been used by hackers for weeks with victims being targeted with phishing emails. The flaw takes advantage of how Flash Player parses Flash Video files and uses common vector corruption techniques to bypass address space layout randomisation security, and uses return-oriented programming to bypass data execution prevention.

Shellcode is stored in the packed Adobe Flash Player exploit file alongside a key used for its decryption. The payload is xor encoded and hidden inside an image.

"Once a target host was profiled, victims downloaded a malicious Adobe Flash Player SWF file and an FLV file, detailed below. This ultimately resulted in a custom backdoor known as SHOTPUT, detected by FireEye as 'Backdoor.APT.CookieCutter', being delivered to the victim's system," said researchers.

The vulnerability has led to Adobe issuing an out-of-band update to Flash to patch CVE-2015-3113. Adobe said the exploit has targeted systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP. However, the patch updates Flash not only on Windows, but also Linux and Mac OS X.

The latest flaw has led to calls to stop using Flash on computers. Security analyst Brian Krebs said in a blog post that “in lieu of patching Flash Player yet again, it might be worth considering whether you really need to keep Flash Player installed at all!”

Gavin Reid, vice president of threat intelligence at Lancope told SCMagazineUK.com that banning Flash from an organisation would be a “short-term solution” and just lead to hackers targeting other browser helper apps, such as Silverlight.

Page 1 of 2