An emergency patch has been released 7 April for a new zero-day exploit in Adobe Flash, dubbed CVE-2016-1019 and described as a critical vulnerability which could potentially impact all versions of Flash on Windows, found on a billion computers worldwide, allowing installation of ransomware.
On 2 April Proofpoint researchers found the Magnitude exploit kit exploiting Adobe Flash version 18.104.22.1686. Proofpoint worked collaboratively on identifying the problem and a FireEye researcher confirmed that the exploited vulnerability was unknown and Adobe was informed.
This new exploit can potentially work on any version of Adobe Flash, including a fully patched instance of Flash, however the threat actors implemented it in a degraded mode so that it only targeted older versions of Flash, a faulty implementation seen previously in Angler. Proofpoint reports that it has been used by a single actor to spread ransomware, first Cryptowall crypt1001 then Teslacrypt ID=39, switching this month to distributing Cerber.
Adobe thanked Kafeine (EmergingThreats/Proofpoint) and Genwei Jiang (FireEye, Inc.), as well as Clement Lecigne of Google for reporting CVE-2016-1019 and for working with Adobe; Proofpoint summarised the findings as follows:
· Magnitude EK was found to be exploiting a previously unreported vulnerability in Adobe Flash, now assigned CVE-2016-1019.
· Due to a faulty implementation of the exploit, it was not targeting the latest, fully patched versions of Adobe Flash in a way that could result in infection.
· The exploit has been in the wild since at least March 31, 2016.
· The exploit was observed spreading the Cerber and Locky ransomware, among others.
· There is evidence that Nuclear Pack was also equipped with code to exploit CVE-2016-1019 but did not run it against fully patched systems.
· Adobe has issued an emergency patch and advisory (APSA16-01) for this vulnerability.
On launching the patch, Adobe issued a statement saying that it is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Adobe Flash Player 22.214.171.124 and earlier versions for Windows, Macintosh, Linux, and Chrome OS.
Critics are once again saying that it may be time to uninstall Flash, but if not, get the patch and perhaps enable Click to Play so that specific permissions are required to run.
Trend Micro comments that it has observed active zero day attacks from the Magnitude Exploit Kit affecting users of Flash 126.96.36.1996 and earlier. These attacks are not effective against users of Flash versions 188.8.131.52 and 184.108.40.206. This is because of a heap mitigation that Adobe introduced in version 220.127.116.11 and is also present in version 18.104.22.168. Users of these versions will only experience a crash in Adobe Flash when attacks attempt to exploit the vulnerability.
Trend also reports seeing a zero-day attack included in the code of Magnitude Exploit Kit which led to Locky ransomware, which abuses macros in document files to hide its malicious code, adding that this malware reportedly hit the systems of the Methodist Hospital in Kentucky, USA. FireEye analysis of the method used includes the observation that, “The exploit's code layout and some of the functionalities are similar to the leaked HackingTeam exploits, in that it downloads malware from another server and executes it.”