December 23, 2024

Recently Patched Flash Player Vulnerability Added to Exploit Kit

Posted on October 23, 2014 by in Security

An exploit for a Flash Player vulnerability that was patched just over one week ago by Adobe has already been added by cybercriminals to an exploit kit.

The French malware researcher know as “Kafeine” was the one who first noticed the integration of the exploit for CVE-2014-0569, a Flash Player integer overflow flaw that could lead to arbitrary code execution, into the Fiesta exploit kit. The expert made the discovery while trying to analyze a different Flash vulnerability (CVE-2014-0556).

The vulnerability was reported to Adobe privately through HP’s Zero Day Initiative (ZDI) program so everyone is wondering how the cybercriminals managed to get their hands on the exploit in such a short period of time.

Kafeine told SecurityWeek that he believes the cybercriminals reverse engineered the patch released by Adobe to build their exploit.

“The criminals built this vulnerability into an exploit kit in record time. Whether they were given a heads-up, or just have a highly skilled reverse engineer, both scenarios are equally worrisome as it increases the possible window of infection,” Jerome Segura, senior security researcher from Malwarebytes Labs, told SecurityWeek. “Perhaps this is not too much of a deal for individuals, but it can be more difficult for businesses which need to roll out patches on dozens of machines, hoping doing so will not cause malfunctions in existing applications. Browsing the net on an unpatched computer is like playing Russian roulette with a handful of loaded guns.”

“The bad guys are not going to run short of vulnerabilities they can weaponize, and if this happens at a quicker rate than ever before, their success rate will increase. This leaves end users with very little room for mistakes, such as failing to diligently apply security patches sooner rather than later,” Segura added.

Initially, Kafeine believed the exploit for CVE-2014-0569 was integrated into the Angler exploit kit as well, but in an update made to his original blog post, the researcher noted that the exploit included in Angler actually appears to be for a different Flash vulnerability patched by Adobe last week.

In the case of the Angler exploit kit, the first payload that’s distributed is Bedep (detected by Malwarebytes as Trojan.FakeMS.ED), which enrolls infected computers into a botnet. The final payload is a variant of the notorious Zeus banking Trojan, Kafeine said.

Both the Fiesta and Angler exploit kits are popular among cybercriminals. Angler was recently involved in a malvertising campaign targeting several high-profile websites, including Java.com.

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

BlackBerry 10 Haunted by Adobe Flash Vulnerabilities

Posted on January 14, 2014 by in Security

BlackBerry today warned that its newest smartphones and tablets are at risk of remote code execution attacks via vulnerabilities in Adobe Flash Player.

According to a BlackBerry advisory, a malicious hacker could booby-trap Adobe Flash content and lure users into visiting rigged Web pages or downloading Adobe Air applications.

BlackBerry Z10 and Q10 Smartphones“If the requirements are met for exploitation, an attacker could potentially execute code with the rights of the application that opens the specially crafted malicious Flash content,” BlackBerry warned.

From the BlackBerry advisory:

Vulnerabilities exist in the Flash Player version supplied with affected versions of the BlackBerry 10 OS and PlayBook OS. The Flash Player is a cross-platform, browser-based application runtime.

Successful exploitation of these vulnerabilities could potentially result in an attacker executing code in the context of the application that opens the specially crafted Flash content (typically the web browser). Failed exploitation of this issue might result in abnormal or unexpected termination of the application.

In order to exploit these vulnerabilities, an attacker must craft Flash content in a stand-alone Flash (.swf) application or embed Flash content in a website. The attacker must then persuade the user to access the Flash content by clicking a link to the content in an email message or on a webpage, or loading it as part of an AIR application. The email message could be received at a webmail account that the user accesses in a browser on BlackBerry Z10 and BlackBerry Q10 smartphones and BlackBerry tablets.

Affected products include the BlackBerry Z10 and BlackBerry Q10 smartphones and the BlackBerry PlayBook tablet.

The company said it was not aware of any active exploitation of the Flash Player vulnerabilities.

Separately, Adobe shipped a cross-platform Flash Player update to fix at least four vulnerabilities that expose users to hacker attacks. Adobe said the vulnerabilities could be exploited to cause a crash and potentially allow an attacker to take control of the affected system.

Ryan is the host of the podcast series “Security Conversations – a podcast with Ryan Naraine“. He is the head of Kaspersky Lab’s Global Research & Analysis team in the USA and has extensive experience in computer security user education, specializing in operating system and third-party application vulnerabilities, zero-day attacks, social engineering and social networking threats. Prior to joining Kaspersky Lab, he monitored security and hacker attack trends for over 10 years, writing for eWEEK magazine and the ZDNet Zero Day blog. Follow Ryan on Twitter @ryanaraine.

Previous Columns by Ryan Naraine:


SecurityWeek RSS Feed