Flash 0-Day: Deciphering CVEs and Understanding Patches
(updated with Jan 24th update)
The last two weeks, we so far had two different Adobe advisories (one regularly scheduled, and one "out of band"), and three new vulnerabilities. I would like to help our readers deciphering some of the CVEs and patches that you may have seen.
CVE | Fixed in Flash Version | Currently Used in Attacks | Advisory |
CVE-2014-8440 | 15.0.0.223 (Nov. 2014) | yes | APSB14-24 |
several | 16.0.0.257 (mid Jan 2015) | yes. | APSB15-01 |
CVE-2015-0310 | 16.0.0.287 (late Jan 2015) | yes | APSB15-02 |
CVE-2015-0311 | 16.0.0.296 (Jan 24th 2015) | yes | APSA15-01 |
So in short: There is still one unpatched Flash vulnerability. System running Windows 8 or below with Firefox or Internet Explorer are vulnerable. You are not vulnerable if you are running Windows 8.1 and the vulnerability is not exposed via Chrome. EMET appears to help, so may other tools like Malwarebytes Anti-Exploit.
Keywords: flash
9 comment(s)
My next class:
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
×
Diary Archives
Comments
Anonymous
Jan 23rd 2015
9 years ago
Cheers,
Adrien
Anonymous
Jan 23rd 2015
9 years ago
Anonymous
Jan 23rd 2015
9 years ago
Another broken link for CVE-2015-0311 please:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0311
Regards
@Rmkml
Anonymous
Jan 23rd 2015
9 years ago
Anonymous
Jan 23rd 2015
9 years ago
Anonymous
Jan 23rd 2015
9 years ago
Fully Update windows 8.1 with Internet Explorer 11 up to date.
Owned - 2015-01-22
However EMET 5.1 detects a stack-pivot and blocks the exploit, though Kafeine reports performing only testing one configuration (the above) one time.
Anonymous
Jan 23rd 2015
9 years ago
If only every vendor provided clear tables like this, and if I could combine them into one, and annotate with which versions are installed on every managed workstation, laptop, handheld, ... it would go some way to actually being able to keep up with the rate we see new vulnerabilities these days.
Anonymous
Jan 23rd 2015
9 years ago
so as briefly discussed in https://isc.sans.edu/forums/diary/Flash+0Day+Exploit+Used+by+Angler+Exploit+Kit/19213/
( =( aww couldn't crowdsource it via SANS ;) )
I've looked at extending MS's out of date active-x blocking XML for Flash and it worked.
Technically there is no indication if it is intended for admin modification but hey.
the readme, xml and a brief discussion of things are in a poorly formatted readme.md
on
here is a picture of the end result: https://github.com/mallorybobalice/ie-custom-oob-xml-rules/issues/1
https://github.com/mallorybobalice/ie-custom-oob-xml-rules/
https://github.com/mallorybobalice/ie-custom-oob-xml-rules/blob/master/versionlist.xml
https://github.com/mallorybobalice/ie-custom-oob-xml-rules/blob/master/README.md
the versionlist.xml and how to deploy it is there as well.
While on the subject of blocking or preventing it being exploited - please join the discussion about deploying EMET and to whine a bit about your experience here: https://isc.sans.edu/forums/your+EMET+51+experience/667/
While on the subject - let's share experiences about deploying EMET. It is hard. We should put together more guidance as a community for it or pressure MS to. (or if there's good docs and I'm confused - please do point me to them)
PS if EMET 5.1 wasn't blocking the exploits in question via the StackPivot detection or another mitigation [complementation mention for Kafeine only testing defaults and existing exploits, but I have a feeling 5.1 is harder to bypass]
EMET can do something very similar to the above using EMET 'Attack Surface Reduction'.
That's a fancy name for 'prevent a DLL you name from loading' [not granular for versions unlike with ALB] and allows you to grant local intranet/trusted site exceptions
e.g. add flash.ocx;FlashUtil_ActiveX.dll to the ASR list
What's more can also do it for any other process you add EMET rules for . [once you get past the initial deployment hurdles that is]
Anonymous
Jan 24th 2015
9 years ago