Dark Reading discusses a critical zero-day in Adobe Flash – surprise surprise – currently being leveraged in a campaign targeting South Korean victims:
Adobe today confirmed a report yesterday by South Korea’s Computer Emergency Response Team (KrCERT/CC) of the discovery of the zero-day vulnerability in Flash Player ActiveX 22.214.171.124 and earlier versions. The bug (CVE-2018-4878) abused in the attacks is a use-after-free vulnerability that allows remote code execution, according to Adobe’s advisory.
Johannes Ullrich, head of the SANS Internet Storm Center, says the fact that this was a targeted, zero-day attack makes it more likely to be the handiwork of a nation-state actor.
“The attack was rather limited, and targeted at individuals in South Korea who are involved in research about North Korea. I think this makes for a pretty strong case that this was a nation-state sponsored attack. Other actors would have little motivation to use a zero-day exploit in an attack against a group like this,” Ullrich says. “On the other hand, it doesn’t have to be North Korea,” given the difficulty of attribution.
It should come as no surprise that although North Korea is attempting to publicly play nice with South Korea, in the background they continue their cyber attack campaigns targeting their neighbor.
The Mozilla Firefox web browser now blocks Flash by default. And when I say “blocks,” I don’t mean it asks you nicely if you’d really like to use Flash. I don’t mean it automatically pauses Flash videos like Google Chrome. I mean Mozilla has decided that Flash is going down.
Why such a hard-on for Flash? Why now? Well, it could be that the world just rediscovered just how prone Flash is to nasty, nasty vulnerabilities. When the Hacking Team—an Italian security company that sold intrusive spy tools—got hacked, one of those tools got out into the wild. A nasty hole in Flash that Adobe has yet to patch.
And in fact, Mozilla’s Mark Schmidt says that once the “publicly known vulnerabilities” are fixed, Firefox will stop actively blocking Flash.
So what about the bigger picture? Why ask to get rid of Flash once and for all?
This is only good for older versions of Flash with known vulnerabilities. The most recently issued version of Flash appears not to be blocked .. yet.
In a tweet this weekend, Stamos – who is a respected member of the security community who is credited for improving the security stance of Yahoo at his previous job – said that it was time for Adobe to announce when Flash would be killed off, and for browsers to assist by dropping support at the same time.
In a follow-up tweet, Stamos said that Adobe’s death date didn’t have to be today or tomorrow – but a date had to be set in stone for systems to be made more secure.
If Adobe Flash is ever going to be kicked to the kerb (as it seems it should be) then a date clearly needs to be declared to drive the push to a Flash-free world. It’s not just important for browsers, of course, but also for companies whose websites and in-house applications might rely heavily on the technology.
The problem is that perhaps Adobe doesn’t feel happy acknowledging that securing Flash is beyond them, and so is unwilling to drop the product. The truth is that the company would probably gain a lot more respect from the internet community if it worked towards this ultimate fix for the Flash problem, rather than clinging on to the belief that it might be able to one day make Flash secure.
I doubt many people will disagree. With mobile being the primary vehicle to the internet these days, Flash’s relevance continues to decline and will ultimately fade out anyways. It will be smarter for Adobe to do it earlier rather than sooner.
Two more serious security holes in Adobe Flash that let miscreants hijack vulnerable computers have emerged from the leaked Hacking Team files – and crooks are apparently already exploiting at least one of them to infect machines.
The use-after-free() programming flaws, for which no patches exist, are identified as CVE-2015-5122 and CVE-2015-5123. They are similar to the CVE-2015-5119 Flash bug patched last week. The 5122 and 5123 bugs let malicious Flash files execute code on victims’ computers and install malware. The bugs are present in the Windows, Linux and OS X builds of the plugin.
The 5119, 5122 and 5123 vulnerabilities were documented in stolen copies of files leaked online from spyware maker Hacking Team. The Italian biz’s surveillance-ware exploits the vulnerabilities to infect computers, and these monitoring tools are sold to countries including Saudi Arabia, Sudan, Russia and the US.
Everyone with Flash installed should remove or disable the software until the critical security bugs are patched, or at least enable “click to play” in their browsers so that you know exactly what you’re running on your system rather than letting websites play malicious Flash files silently in the background without warning or permission.
Flash needs to die. Since YouTube is HTML5 capable, I am seriously considering just getting rid of this craptastic, vulnerability-ridden software once and for all. Like Java, Flash should be outlawed.
Victims are lured with a generic phishing email whose text is very similar to spam messages. In an example provided by FireEye the bait used was an offer for a refurbished iMac system certified by Apple, with a discount between $200 and $450 (€180 – €400); the email further enticed the recipient with availability of one-year extendable warranty for the product.
Clicking on the provided link redirected to a server with scripts that checked if the visitor’s computer was worth compromising. If it presented no interest, the user would receive non-harmful content; otherwise, the victim was served malicious SWF and FLV files. The vulnerability exploited in the attack is a heap buffer overflow, now identified as CVE-2015-3113.
FireEye says that the attack code relies on common vector corruption techniques to get past the Address Space Layout Randomization (ASLR) protection from buffer overflow events; it also relies on a new ROP (Return-Oriented Programming) technique to bypass Data Execution Prevention (DEP) and other protection mechanisms, such as ROP detection.
Phishing, and by extension spear-phishing, remains the most widely used attack vector for one very simple reason: to this day it remains very easy to find one unsuspecting person at a target organization to open the malicious attachment. If the exploit is a zero-day, the likelihood of cyber defense measures detecting the malware are almost zero. This is why attackers love phishing.