twitter facebook rss

Zero-day Flash vulnerability delivered by Angler

Posted by on January 22, 2015.

The Angler exploit kit has, according to Cisco’s latest report, replaced Blackhole as the kit of choice for the bad guys:

Cisco Security Research attributes Angler’s popularity to the decision by its author(s) to eliminate the requirement of downloading a Windows executable to deliver malware.

Angler’s use of Flash, Java, Microsoft Internet Explorer (IE), and even Silverlight vulnerabilities makes this exploit kit the “one to watch,” say Cisco researchers. Once the exploit is triggered, the malware payload is written directly into memory in a process such as iexplore.exe, instead of being written to a disk.
Cisco 2015 Annual Security Report

Angler has a particular affinity with Flash exploits. Now Kafeine has discovered a version carrying three flash exploits – one of which is a zero-day not seen before:

I spotted an instance of Angler EK which is sending three different bullets targeting Flash Player… And it seems we have a problem with that third one…
Unpatched Vulnerability (0day) in Flash Player is being exploited by Angler EK

Zero-day exploits are valuable commodities. They are usually used sparingly on specific high value targeted attacks. This prolongs their life since they are likely to go undetected for a longer period than exploits used for mass infections. So its inclusion in the Angler EK makes it unusual, but particularly dangerous over a shorter period of time.

One likely infection method will be through malvertising. Malvertising is an increasing threat since users are not required to click on anything – they are silently redirected to the exploit kit via an innocent looking advert on a mainstream website. The combination of a popular exploit kit with a zero-day Flash exploit delivered via malvertising and injection straight into a running process makes it especially dangerous. It is what leads Kafeine to conclude:

Disabling Flash player for some days might be a good idea.

Not everyone is vulnerable. Fully patched Windows 8.1 appears to be immune, and Chrome isn’t targeted. Hopefully the threat will be short lived. Kafeine spotted it, and Adobe is investigating it. A patch is likely soon – but until then just be aware that there is a zero-day Flash vulnerability seeking mass infections via the world’s most popular exploit kit. If you are vulnerable, it may well be a good idea to disable Flash until the patch is delivered.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: News, News_vulnerabilities | Tags: , , ,