Yet another Flash Player 0-day vulnerability being exploited! Patch released.
February 2, 2015
Prologue
I just published a warning about a serious 0-day vulnerability being exploited in Flash Player, 11 days ago. It took 4 days for Adobe to release a good working patch for those exploits. Well, the dust has barely settled and Adobe and threat researchers at Trend Micro just announced another 0-day exploit targeting the freshly patched Flash Player!
Like the previous Flash exploits of mid-January, this one is delivered via malicious advertising that was paid for on an ad delivery network (who were tricked by bait and switch advertisers working for the criminals behind the Angler Exploit Kit). The actual known poisoned ads have been taken down by the ad network, but others may be lingering. There is really no way of knowing if you are going to a page that has those ads in rotation, unless you have substantial security protection installed (see addendum in my extended content).
See my updates at the end of this article
What OS and browsers are affected?
All Windows operating systems from 8.1 down are affected. The targeted browsers are Firefox and Internet Explorer on these platforms. Mac OS is also vulnerable through browser exploits. Affected browser is Safari. Finally, Linux computers are vulnerable through Firefox, if the Flash plugin in installed.
In the case of Firefox, if you have opted for Flash Player to "Ask to Activate," aka, Click to Play, and you don't allow it to run on a page carrying an exploit ad, you are not going to be automatically exploited. If you visit using Internet Explorer, the download is automatic and the exploit happens in the background.
What versions of Flash Player are affected?
Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh are vulnerable. This is the version that was just released last week to patch the previous 0-day being exploited by similar "malvertisements." as they are now called.
What you should do now
Disable Flash Player in Firefox and Internet Explorer until Adobe pushes out another patch. That is expected any day now. They are already working on the patch. If you must keep Flash active, use Google Chrome to browse websites that require Flash support. Chrome is not currently targeted.
If you have Windows computers, go to (Start or Charms Bar) Control Panel > Flash Player > Advanced tab and make sure that the option to "Allow Adobe to install updates (Recommended)" is selected. Then, click on the "Check Now" button to see if a newer version is listed that the ones you have now. This opens the About Flash Player detection page in your default browser.
There are at least two versions of Flash if you have another browser in addition to Internet Explorer. One version is the ActiveX version for IE and the other is a "plugin" version used by Firefox, Opera and Safari. A third version is built into Google Chrome.
If the version you have is less than the ones listed below it, you should download those newer versions on the spot. Click on the link labeled Flash Player Download Center and you will (theoretically) be offered the latest version for the browser with which you are viewing that page. There will also be a link to get Flash for your other installed browsers, labeled: "Need Flash Player for a different computer?"
In both cases, Adobe tries to bundle other software from non-related third parties in your download. I personally deselect those "offers." It's up to you.
Do you really "need" Flash Player?
If all you have been using Flash Player for is to watch YouTube videos, you no longer need it. Almost all video content on YouTube has been converted into a safer, W3C standards compliant HTML 5.0 video format. This format is fully supported by all current versions of the major browsers. But, if you insist on using outdated software, like Internet Explorer 8 or older, it doesn't understand HTML 5 video. Either upgrade your browser to the newest version, or install the current version of Google Chrome or Firefox.
Extra security protection
In the beginning of this article I mentioned having "substantial security protection" installed will help fend off such drive-by download exploit attacks. Here is what I currently use:
- Malwarebytes Anti-Exploit
- Malwarebytes Anti-Malware
- Trend Home Internet Security. Note, most Trend Micro customers are already protected against these exploits by the Trend Micro Smart Protection Network.
Additionally, Firefox (current version) is my default browser, with Flash set to always Ask to Activate. Further, I have the NoScript Add-on for Firefox and only whitelist websites I feel can be trusted. Even with scripting allowed by NoScript, there are protections in place to block known cross site scripting attack vectors. Finally, for the extremely paranoid, there is another Firefox Add-on called AdBlock Plus. I am using it because of these 0-day exploit attacks using ad networks to deliver their payloads. It is really just a backup for NoScript and Ask to Activate, in Firefox. I don't normally block any ads, seeing as how I myself have affiliate ads on my websites. AdBlock allows you to whitelist a domain or a single page with one click.
Internet security has to be multi-layered in order to detect and block newer exploit kits that are usually state of the art in the cybercrime Underworld. I find good security programs that are able to play nice together (like the above three) and keep them active and updated.
Epilogue
Watch for a new Flash Player update coming any time this week (beginning February 2, 2015). I will publish an update to this article, or write a new one, once Adobe completely patches this vulnerability in their Flash Player.
UPDATE; 2/4/2015, at 11:45pm EST
The automatic Adobe Flash updater module just performed an update of Flash for both Firefox and Internet Explorer, from version 16.0.0.296 to 16,0,0,305. The About Flash Player page shows that I have the newer version, but still lists the previous version (.296) as the most recent. The manual download center also incorrectly shows the previous version as current. This means that like last week's updates, those with automatic updates enabled are being patched ahead of those wishing to do so manually.
You can enable automatic updates on Windows computers, via Control Panel > Flash Player > on the Advanced tab. You'll need to supply the Admin password (XP), or at least acknowledge the UAC prompt to change the setting if it wasn't already set to Allow Adobe to install updates (Recommended).
UPDATE: 2/5/2015, 11:45am EST
Adobe has finally updated the About Flash Player page to reflect the new patched version as being current (version 16.0.0.305). You can now download Flash for your OS and various browsers manually, from the Adobe Flash Player Download Center.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.