Time to abandon Flash? Hit by zero-day once again

News by Rene Millman

Security industry calls on organisations to ditch vulnerable browser plug-in as yet another zero-day flaw hits flash

Yet another vulnerability has been discovered in Adobe's Flash player, leading to calls by security experts to ban the plug-in from user's computers.

The flaw was discovered by IT security firm FireEye. Researchers at the firm said a Chinese hacker group, known as APT3, was behind the exploit and was using it to target victims in the aerospace and defence, construction and engineering, high tech, telecommunications, transportation industries. This would indicate that the gang was intent on stealing IP or engage in espionage.

The firm said in a blog posting that this group is “one of the more sophisticated threat groups that FireEye Threat Intelligence tracks, and they have a history of introducing new browser-based zero-day exploits (for example, Internet Explorer, Firefox, and Adobe Flash Player).”

"After successfully exploiting a target host, this group will quickly dump credentials, move laterally to additional hosts, and install custom backdoors. APT3's command and control (CnC) infrastructure is difficult to track, as there is little overlap across campaigns."

The flaw has been used by hackers for weeks with victims being targeted with phishing emails. The flaw takes advantage of how Flash Player parses Flash Video files and uses common vector corruption techniques to bypass address space layout randomisation security, and uses return-oriented programming to bypass data execution prevention.

Shellcode is stored in the packed Adobe Flash Player exploit file alongside a key used for its decryption. The payload is xor encoded and hidden inside an image.

"Once a target host was profiled, victims downloaded a malicious Adobe Flash Player SWF file and an FLV file, detailed below. This ultimately resulted in a custom backdoor known as SHOTPUT, detected by FireEye as 'Backdoor.APT.CookieCutter', being delivered to the victim's system," said researchers.

The vulnerability has led to Adobe issuing an out-of-band update to Flash to patch CVE-2015-3113. Adobe said the exploit has targeted systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP. However, the patch updates Flash not only on Windows, but also Linux and Mac OS X.

The latest flaw has led to calls to stop using Flash on computers. Security analyst Brian Krebs said in a blog post that “in lieu of patching Flash Player yet again, it might be worth considering whether you really need to keep Flash Player installed at all!”

Gavin Reid, vice president of threat intelligence at Lancope told SCMagazineUK.com that banning Flash from an organisation would be a “short-term solution” and just lead to hackers targeting other browser helper apps, such as Silverlight.

“Another possible solution would be browser extensions such as FlashControl that stops auto-run of flash and gives users the ability to control and use Flash only when they want it,” said Reid.

Fraser Kyne, principal systems engineer at Bromium told SC that he questions whether banning Flash would be helpful to organisations.

“Security is certainly about making sensible choices; but we should strive for better. Flash is not the only culprit, and following this logic you'd need to ban all potentially vulnerable software eventually. Can you live without Flash? What about Java? What about living without a browser…? Where does this stop?” said Kyne.

Justin Clarke, co-Founder at security consultancy Gotham Digital Science told SCMagazineUK.com that as keeping Flash up to date in an enterprise environment can be challenging (due to the frequent patches that are released) organisations should consider whether they want to ban Flash and Java entirely.

“If not - organisations need to be aware that it is a potential vector for malware to get into their organisation, and make sure they have controls in place to detect if such an exploit takes place, as well as having the processes and technologies in place to respond to, contain and shut down an ongoing attack on their organisation,” said Clarke.

Steve Ward, senior director, iSIGHT Partners told SC in an email that companies should prioritise patching CVE-2015-3113, "especially if their organisation is in one of the targeted industries or sectors"

He adds: "UPS Team, the name iSIGHT Partners uses to track this Chinese espionage group, has recently been linked to Scanbox, a JavaScript framework used to profile and then infect select victims with Pirpi malware. We have no indication that any other actors or groups are exploiting this vulnerability; therefore, exploitation poses a limited but serious threat in the short term."

Chris Boyd, malware intelligence analyst at Malwarebytes told SC that targeted companies need to be proactive and give regular training to staff regarding spear-phishing and the danger of bad links.

“As demonstrated time and again, securing technology is only half the battle - and more often than not, it's the human element that brings the security walls crashing down,” he said.

Carl Leonard, principal security analyst at Raytheon Websense? told SCMagazineUK.com that while the use of Flash in websites is in decline according to several surveys, “If Flash is required within an organisation then an effective patch management process is a necessity.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews