Another 0-day exploit attack underway against Flash Player

[Wiz Feinberg]

It's only been 11 days since my last alert about a critical vulnerability in Adobe's Flash Player, being exploited in the wild by "malvertisements," delivered by ad networks tricked into running those ads. Today, Adobe and Trend Micro announced that a new round of exploit attacks are underway, targeting a new 0-day vulnerability in the brand new Flash Player 16.0.0.296. Adobe says that another patch for Flash is coming this week.

Rather than repeat a thousand words, please read my newest blog article I just published today, February 2, 2015. It explains the nature of the attacks and repeats the good advice on how to stay protected. I also list my security program solutions to these exploit kits.

[Richard Sinkler]

Can I also assume it affects Safari for Windows? What about Safari on ios devices?

[Richard Sinkler]

Another thing that has piqued my interest. How do they attach Flash only on certain browsers?

[Wiz Feinberg]

Apple's Safari is often regarded as low hanging fruit by people in the exploit business. It is barely receiving any updates for versions running on Windows PCs. The only thing saving the hapless browser is its low market share. It is easily exploitable via the Flash plugin it runs, whether on Windows, Mac, or iPhones.

As for how "they" target particular browsers, it is part of the logic/decision tree at the start of an exploit (if/then, else/then, else,,,). The Angler Exploit Kit targets Internet Explorer first, then looks for the Mozilla Firefox user agent string and attacks its Flash Player plugin. It can attack Safari using the final fallback logic. But, it specifically does not target Google Chrome. The sandbox built into Chrome is too strong for a silent drive-by exploit download. It would not be silent and could easily be blocked by alert users.

The only reason for targeting Firefox is because many users disable Flash click to play protection, for their own convenience.

In the previous Exploit attacks from late-January, the original decision tree was written incorrectly and Firefox did not receive its exploit package (the bullet, as Kafeine calls it). One day later, the criminal minds behind the Angler EK realized their mistake and fixed the logic. They also updated their attack codes to take down fully patched Windows 8.1 with IE 11.

[Dave Potter]

Apple's Safari is often regarded as low hanging fruit by people in the exploit business.

Pretty funny.

One day later, the criminal minds behind the Angler EK realized their mistake and fixed the logic. They also updated their attack codes to take down fully patched Windows 8.1 with IE 11.

It makes me wonder if, regardless of "their" motivation, whether there's really any future in even attempting to defend against all this stuff. If "they" always find a way, what's the point?

[Wiz Feinberg]

Apple's Safari is often regarded as low hanging fruit by people in the exploit business.

Pretty funny. :lol:

One day later, the criminal minds behind the Angler EK realized their mistake and fixed the logic. They also updated their attack codes to take down fully patched Windows 8.1 with IE 11.

It makes me wonder if, regardless of "their" motivation, whether there's really any future in even attempting to defend against all this stuff. If "they" always find a way, what's the point?

It's a matter of ownership. I profess to own the computers I have bought or built and slaved to personalize. A thief may attempt to steal my control of the computer via malware, or social engineering. I resist. It is in my nature to do this. As determined as Boris Badenoff may be to pwn my PCs, I am equally determined to fight him off.

If a body has the same view that you own your computer and Boris isn't taking it from me without a fight, which is the American way, you will arm your computer with all the best defenses you can find. By taking certain steps we can reduce our surface of exposure to a pin point, instead of a playground. I have been blogging about the best practices one can use to reduce the likelihood of getting infected for years.

In a nutshell, the easier it is for you to do things online, the easier it is for the bad guys to exploit you. If you add layers of nuisances to your daily browsing, it also ramps up the trick level they need to employ against you.

Some of the things I have preached about for the last 8 years include the following tips.

1. No matter what operating system you use, operate with the least possible user privileges that allow you to perform your daily tasks. Do not browse the Internet from an Administrator level account!
2. Set a good password for your Administrator account. Use it in UAC prompts to elevate your privileges to upgrade installed programs.
3. Do not disable UAC prompts. They are one of your doormen.
4. Do not operate a Windows PC without active and up to date virus and malware protection. This may mean buying two or three security programs that may or may not overlap a little, but target different malicious activities.
5. If at all possible, enable the Status Bar in your preferred browser. The Status gives readouts of the actual URL when you hover over links on web pages, or in browser based email systems ("webmail"). Seeing that an actual URL is in no way related to the anchor text you are offered can save your PC from being attacked, if it was a poisoned link.
6. Screen your email for threats before opening it! I use MailWasher Pro to do this and have done so for the last decade.
7. Make use of any spam filter utilities your email client provides. Create filters that block known bad actors and delete those messages from the mail server.
8. If your email client is a desktop program, like Windows Live Mail, successor to Outlook Express, enable the Status Bar in both the main interface and the preview windows or bottom preview pane. The Status readout reveals the actual URL of any links before you click on them.
9. Learn to identify foreign Country codes in URLs, so you don't click on a link to a .ru domain, unless you mean to.
10. Treat any email message with bad grammar (in your language) as spam, a scam, or some form of threat.
11. Make sure that you enable the View option to show, not hide, extensions for known file types. Threats delivered in email attachments often try to trick you into thinking that the file is an image or pdf (using that type of icon), when in fact is it an exe. Also, display extensions in system folders and show their contents. It makes it easier to spot files that are out of place.
12. Do not open attachments unless you can plainly see all file extensions and have active virus protection.
13. Do not click on stories or videos on social networks that start with OMG. They usually lead to exploit kits, or survey scams, or try to post in your name.
14. Do not reuse the same passwords across multiple websites. Mix them up. When possible, use a passphrase made up of two or more words. The better password systems even allow for spaces between words. Think: "What would Commander Data use for a password?"
15. Empty out all temporary files before shutting down your computer. I use CCleaner to do this. It allows you to include custom paths to be cleaned. I add my %AppData%/Roaming directory for any executables. A lot of "userland" malware hides in your AppData folder, where no .exe files should normally exist. The format of this command is: C:\Users\(your account name)\%AppData%Roaming\*.exe
16. Set your anti-virus and anti-malware programs to update as often as the program allows and to scan daily or nightly.
17. If possible, do not use Internet Explorer as your default browser. Instead, use Google Chrome or Mozilla Firefox. Always enable automatic updates for the browser and any Add-ons and Plugins you have installed.
18. Do not use obsolete browser versions, unless you are a web developer working offline. Update to the latest version of each brand of browser you have installed.
19. If your browser supports click to play, enable it for Flash, Silverlight, Adobe Reader/Acrobat and Java (if you absolutely must use that dangerous technology).
20. If you have no known need for Java on a computer, uninstall it totally, including all old versions still listed as installed. Java is one of the most dangerous plugins for web browsers and is usually the number one target of exploit kits. This is followed by Adobe Flash and Adobe Reader/Acrobat, followed by Microsoft Silverlight. Uninstall or disable plugins you don't use, or set them to Ask To Activate (Click to Play)
21. If your anti-virus program doesn't add a browser plugin that blocks known dangerous web pages, see if your browser itself offers such an option. Chrome has such a feature built in. All Trend Micro Security programs block dangerous web pages before they are opened in your browser.

Those are a few things that come to mind as I think about securing a PC in these dangerous times. It is by no means the entire list.

[Scott Duckworth]

Wiz, I have a question re:

Do you really "need" Flash Player?

If all you have been using Flash Player for is to watch YouTube videos, you no longer need it. Almost all video content on YouTube has been converted into a safer, W3C standards compliant HTML 5.0 video format. This format is fully supported by all current versions of the major browsers. But, if you insist on using outdated software, like Internet Explorer 8 or older, it doesn't understand HTML 5 video. Either upgrade your browser to the newest version, or install the current version of Google Chrome or Firefox.

I run a Flash Blocker in Firefox (ver 35.0.1). I still have to click the "F" icon to play Youtube vids. How to it get them to play in the HTML 5.0?

[Dave Potter]

It's a matter of ownership.... A thief may attempt to steal my control of the computer via malware, or social engineering. I resist.

Well put, Wiz, and I do all that too. Re-reading what I said, I can't remember what was going through my mind at the time - prolly a bit of frustration.

Of course it's worth the effort to defend against the malcontents who do this stuff - what alternate universe do they live in?

As always, I appreciate your insights.

[Scott Duckworth]

Wiz, I might ad I do have the VLC Web plugin for Firefox, if that can be used to play videos safely...

[Wiz Feinberg]

Adobe has just tonight (Feb 4, 2015) released a new version of its Flash Player, version 16,0,0,305, but only to computers with automatic Flash Player updates enabled. The rest who wish to update manually must wait another day or so to be able to download the new version.

Flash Players up to and including version 16.0.0.296 are being attacked in a "malvertising" exploit campaign, via poisoned ads run on a particular ad delivery network.