View Full Version : Adobe Flash/Acrobat/Reader exploits-in-the-wild

2015-01-21, 18:30

Flash 0-Day Exploit used by Angler Exploit Kit
- https://isc.sans.edu/diary.html?storyid=19213
2015-01-21 - "The "Angler" exploit kit is a tool frequently used in drive-by download attacks to probe the browser for different vulnerabilities, and then exploit them to install malware. The exploit kit is very flexible and new exploits are added to it constantly. However, the blog post below* shows how this exploit kit is currently using an unpatched Flash 0-day to install malware. Current versions of Windows (e.g. Window 8 + IE 10) appear to be vulnerable. Windows 8.1, or Google Chrome do not appear to be vulnerable... typically we see these exploits more in targeted attacks, not in widely used exploit kits. This flaw could affect a large number of users very quickly..."
* http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html
2015-01-21 - "... Angler EK exploiting last version ( of Flash..."
Update: "... tested it against the free version of Malwarebytes Anti Exploit* (a product from one of my customers). That stopped it. Well done!..."
* https://www.malwarebytes.org/antiexploit/

- http://blog.trendmicro.com/trendlabs-security-intelligence/flash-greets-2015-with-new-zero-day/
Jan 22, 2015 - "... Chrome’s version of the Flash Player plugin is sandboxed, mitigating potential effects to end users. Firefox is also immune to this threat..."
Geographic distribution of users affected by Angler
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/01/Geographic-Distribution-of-Users-Affected-by-Angler-01.jpg

:fear::fear: :mad:

2015-01-23, 20:11

- http://blog.trendmicro.com/trendlabs-security-intelligence/flash-greets-2015-with-new-zero-day/
Update as of January 22, 2015, 9:30 PM PST: "... Adobe released an update to Flash, bringing the latest version to However, this does -not- patch the vulnerability described in this post. Instead, it fixes a -separate- vulnerability (CVE-2015-0310). A patch for the vulnerability described here (now designated as CVE-2015-0311) will be released sometime next week.*
In the mean time, we note that Chrome is still unaffected by this vulnerability. Users of other browsers who are unable to disable Flash Player (due to usability issues) can consider downloading ad blocking software or extensions, which would help in reducing the exposure to this threat."

> http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html
"... Any version of Internet Explorer or Firefox with any version of Windows will get owned if Flash up to (included) is installed and enabled.
[Edit : 2015-01-22 - 15:30 GMT+2] Til this morning Firefox users were safe. Angler EK coders [hacks] 'fixed' the issue... and they are now under fire as well..."

* https://helpx.adobe.com/security/products/flash-player/apsa15-01.html
Updated: Jan 22, 2015 - "... We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below. Adobe expects to have a patch available for CVE-2015-0311 during the week of January 26..."
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0311
Last revised: 01/23/2015

>> Recommend: DISABLE Flash extension/Plugin until that fix is available.
>> Firefox: >Tools >Addons >Plugins >Shockwave Flash - Never Activate.

... until NEW UPDATED FIX from Adobe is released/installed.

See: http://forums.spybot.info/showthread.php?12890-Adobe-updates-advisories&p=461336&viewfull=1#post461336
Jan 24, 2015 - "... available..."


2015-02-02, 20:22

Flash - see: http://forums.spybot.info/showthread.php?12890-Adobe-updates-advisories&p=461790&viewfull=1#post461790
Feb 4, 2015

Another Flash Player 0-day exploit in-the-wild ...
- https://helpx.adobe.com/security/products/flash-player/apsa15-02.html
Feb 2, 2015
CVE number: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0313 - 10.0 (HIGH)
Last revised: 02/04/2015 - "... as exploited in the wild in February 2015."
Platform: All Platforms
Summary: A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below. Adobe expects to release an update for Flash Player during the week of February 2.
Affected software versions:
- Adobe Flash Player and earlier versions for Windows and Macintosh
- Adobe Flash Player and earlier 13.x versions

Revisions: Removed Flash Player version 11.x from the list of affected versions. Version 11.x and earlier do not support the functionality affected by CVE-2015-0313.

> https://blogs.adobe.com/psirt/?p=1171
Feb 2, 2015

- https://isc.sans.edu/diary.html?storyid=19269
Last Updated: 2015-02-02 15:12:32 UTC

- http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-new-adobe-flash-zero-day-exploit-used-in-malvertisements/
Feb 2, 2015 - "... a new zero-day exploit in Adobe Flash used in -malvertisement- attacks. The exploit affects the most recent version of Adobe Flash, and is now identified as CVE-2015-0313... So far we’ve seen around 3,294 hits related to the exploit, and with an attack already seen in the wild, it’s likely there are other attacks leveraging this zero-day, posing a great risk of system compromise to unprotected systems. Since the exploit affects the latest version of Flash,, users may consider -disabling- Flash Player until a fixed version is released. Adobe has confirmed that this is a zero-day exploit and the patch is expected to be available this week to address this..."

How to Disable Flash:

In I/E: http://www.ehow.com/how_7332733_turn-off-flash.html
•1 Launch Internet Explorer. Click "Tools" and click "Internet Options." Click the "Programs" tab.

•2 Open the "Manage add-ons" button. Click the drop-down list under "Show" and select "Run without permission."

•3 Click "Shockwave Flash Object" under the "Adobe System Incorporated" section. Click the "Disable" button. Reboot your system.

In Chrome: http://www.ehow.com/how_8270649_disable-shockwave-flash-chrome.html

- Enter the following address in Chrome’s address bar to access the Plug-ins screen:

Scroll down the list of plug-ins and click the “Disable” link located at the bottom of the Adobe Flash Player section to disable Flash.

In Firefox: Tools> Addons> Plugins> Shockwave Flash - Never Activate

>> Browser check: https://browsercheck.qualys.com/?scan_type=js


2015-10-14, 19:46

FIX: https://forums.spybot.info/showthread.php?12890-Adobe-updates-advisories&p=466637#post466637

Flash 0-Day used in Pawn Storm...
>> http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/
Oct 13, 2015 - "... the attackers behind Pawn Storm[1] are using a new Adobe Flash zero-day exploit in their latest campaign. Pawn Storm is a long-running cyber-espionage campaign known for its high-profile targets and usage of the first Java zero-day* we’ve seen in the last couple of years... Based on our analysis, the Flash zero-day affects at least Adobe Flash Player versions and We have notified Adobe about our discovery and are working with them to address this security concern. Updates to this entry will be made once more information is available."

'Suggest Flash be -disabled- immediately until a new fix/release from Adobe is available...

* 'Suggest Java be disabled, too. Next scheduled release of Java update due 10.20.2015.
- https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/10/13/patch-tuesday-october-2015
Oct 13, 2015 - "... Oracle will have their CPU later this month, on the 20th..."

1] https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-pawn-storm-fast-facts

>> https://helpx.adobe.com/security/products/flash-player/apsa15-05.html
Oct, 14, 2015 - "... A critical vulnerability (CVE-2015-7645) has been identified in Adobe Flash Player and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit for this vulnerability is being used in limited, targeted attacks.
UPDATE: Adobe expects updates to be available as early as October 16."

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7645
10/15/2015 - "... as exploited in the wild in October 2015."

:fear::fear: :mad:

2016-04-08, 17:20

Adobe Flash 0-day (CVE-2016-1019) in-the-Wild - Exploit Kits delivering Ransomware
- http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2016-1019-zero-day-integrated-in-exploit-kit/
April 7, 2016 - "... Trend Micro has observed active zero day attacks from the Magnitude Exploit Kit affecting users of Flash and earlier. These attacks are not effective against users of Flash versions and This is because of a heap mitigation that Adobe introduced in version and is also present in version Users of these versions will only experience a crash in Adobe Flash when attacks attempt to exploit the vulnerability. All users are highly recommended to immediately update their systems with the latest security fix* as this is actively being exploited in the wild. Prior to today’s security fix, we observed the exploit kit already integrating this vulnerability in its arsenal, which leaves systems infected with ransomware..."
* https://helpx.adobe.com/security/products/flash-player/apsb16-10.html

>> https://forums.spybot.info/showthread.php?12890-Adobe-updates-advisories&p=469863#post469863

- https://atlas.arbor.net/briefs/index#-169418222
April 07, 2016 21:52

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1019
Last revised: 04/07/2016
10.0 HIGH
"Adobe Flash Player and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors, as exploited in the wild in April 2016."