2 new Adobe Flash 0-Day exploits in the wild. Disable Flash

Wiz Feinberg · Post by **Wiz Feinberg** » 22 Jan 2015 9:17 pm

On Thursday, January 22, I wrote a security blog article about new Flash Player vulnerabilities that are being exploited in the wild. Adobe patched one of the two holes, but left the other one open. I expect that Adobe will soon release a second out of band patch for exploit #2.

In the meantime, if you visit websites that run advertising from ad networks and you have a Windows PC and are browsing with either Firefox or Internet Explorer, you are at risk of a drive-by download of malware. My article explains all this and shows you how to stay protected until Adobe patches this for good.

Richard Sinkler · Post by **Richard Sinkler** » 22 Jan 2015 9:34 pm

Something weird happened to me today. But, I use Chrome. I was on some news site and clicked on a video. Anew smaller window appeared with some text (sorry, I didn't write it down) and an "OK " button. I didn't like the looks of it and wouldn't click the button. But I tried to close the window with the x button in the upper right corner. Window wouldn't close. I tried to close Chrome, but couldn't. Couldn't navigate away from Chrome to any other running programs. It was similar to that FBI ransomeware bug. But, I was able to start task manager and kill Chrome. Everything looked cool, but I ran a full scan with MalwareBytes. Found nothing. Since it happened when clicking on a video, could this be related?

Wiz Feinberg · Post by **Wiz Feinberg** » 22 Jan 2015 10:19 pm

It is unlikely that what happened to you was due to the Angler Exploit kit. It doesn't currently target Chrome browsers at all.

I will update this and my blog article when Adobe patches every part of this exploit attack.

BTW: I am directly in touch with the researcher who discovered this situation.

Richard Sinkler · Post by **Richard Sinkler** » 23 Jan 2015 5:48 am

Thanks. It will be a great day when HTML5 video finally knocks Flash out.

Dave Potter · Post by **Dave Potter** » 23 Jan 2015 6:33 am

I ran a new Flash update yesterday based on the invitation it offered me - maybe that was the other patch?

At any rate, I dislike ads, and I can't tolerate all the Flash videos starting simultaneously when I load a group of Firefox tabs, so I have Adblock Plus to kill ads, but also have the add-on Flashblock as well. With that, nothing "Flash" opens unless I explicitly click on the icon.

I'll disable it anyway, based on the advice here. I've never been a web video junkie.

Wiz Feinberg · Post by **Wiz Feinberg** » 23 Jan 2015 8:47 am

Dave Potter wrote:I ran a new Flash update yesterday based on the invitation it offered me - maybe that was the other patch?

Nope. That fixed an earlier exploit vector. It is Flash 16.0.0.287 and is still exploited silently and downloads malware. The real fix will have a higher number than .287.

Dave Potter · Post by **Dave Potter** » 23 Jan 2015 10:08 am

Do YouTube videos present this kind of threat?

Wiz Feinberg · Post by **Wiz Feinberg** » 23 Jan 2015 5:33 pm

Dave Potter wrote:Do YouTube videos present this kind of threat?

Not normally. The miscreants buy advertising on ad networks. They submit normal ads to get approved. After a certain amount of time they begin serving compromised ads in Flash format. Hidden codes do the dirty work.

My researcher friend who discovered this new threat told me that Malwarebytes Anti-Exploit stopped an attack in his virtual machine in his lab. I am testing MBAE myself and will report back here if it actually blocks an attempted exploit.

Scott Duckworth · Post by **Scott Duckworth** » 24 Jan 2015 7:17 am

Yahoo News had a big article about this yesterday...

Wiz Feinberg · Post by **Wiz Feinberg** » 26 Jan 2015 9:58 am

I have posted three updates since writing my blog article about the current Flash Player exploits. Update 3 (today) describes another patched version of Flash Player, 16.0.0.296, which is only available via automatic Flash Updates (Control Panel Flash applet > Advanced).

For those using non-Windows operating systems, or whose account privileges are insufficient to install such browser plugins, you're still safest disabling Flash until Adobe releases the new update to everybody (manual downloading and installation).

The manual update will become available this week, as Adobe sees fit. Perhaps they have run into to compatibility problems caused by it (this happens with security patches).

Todd Goad · Post by **Todd Goad** » 26 Jan 2015 3:32 pm

Wiz, I show that I have the latest flash player beta version installed. ( Your version16.0.0.296 Latest Version16.0.0.287 ).

Is this the correct latest version? I am not sure what BETA means? I'm guessing it is a test version. Am I right?

Please let me know what I should do, if anything?

Thanks,
Todd

Wiz Feinberg · Post by **Wiz Feinberg** » 26 Jan 2015 3:41 pm

Todd Goad wrote:Wiz, I show that I have the latest flash player beta version installed. ( Your version16.0.0.296 Latest Version16.0.0.287 ).

Is this the correct latest version? I am not sure what BETA means? I'm guessing it is a test version. Am I right?

Please let me know what I should do, if anything?

Thanks,
Todd

Beta indicates that Adobe has not finished quality testing that version. It won't surprise me if they have to patch the pach that is still to be release to the GP.

As for what you can do, all that is outlined fully in my blog article.

Todd Goad · Post by **Todd Goad** » 26 Jan 2015 3:57 pm

I will be reading the blog later on this evening.

Thanks

Wiz Feinberg · Post by **Wiz Feinberg** » 27 Jan 2015 10:50 am

Adobe has resolved the version discrepancies. You can now manually download version 16.0.0.296 from the Flash Player Download Center.

All the links and details are on my followup blog article I posted this afternoon.

Jon Light (deceased) · Post by **Jon Light (deceased)** » 27 Jan 2015 11:01 am

I'm glad to see that via my default update settings, I have the most up-to-date version.
In addition, I have set Firefox to make me manually authorize every instance of Flash. The minor nuisance factor seems worth it, in exchange for some extra security.

Sonny Jenkins · Post by **Sonny Jenkins** » 28 Jan 2015 7:27 am

So if the plug in says it is up to date does that mean that whatever malware MAY have been put on my computer,,is now eliminated by the update?

Wiz Feinberg · Post by **Wiz Feinberg** » 28 Jan 2015 9:40 am

Sonny Jenkins wrote:So if the plug in says it is up to date does that mean that whatever malware MAY have been put on my computer,,is now eliminated by the update?

Absolutely NOT. The Flash Player update only prevents further exploits that affected the previous versions. Any malware that was dropped onto your computer will remain until it is located and removed by a qualified security program that recognizes the threat and knows its component locations.

Sonny Jenkins · Post by **Sonny Jenkins** » 28 Jan 2015 1:40 pm

Like malwarebytes? Speaking of which, I run the free version at least once or twice a week,,,and it ALWAYS finds one (1) item, which I quarantine. Several months ago I signed up for the 30 day trial, set it to scan once a week,,,,it always found 20-25 items? Does the free version that is run manually not do as thorough a scan as the paid version?

Wiz Feinberg · Post by **Wiz Feinberg** » 28 Jan 2015 8:53 pm

The free version of MBAM does full threat scans, but do not do the following:

Hyper Scans
Scan/Database Update Scheduler
Malicious website blocking
Realtime protection
Chameleon Driver
Possibly, PUPs detection

It's been so long since I had that version I don't even remember what it lacked.