Flash 0-Day Exploit Used by Angler Exploit Kit

Published: 2015-01-21
Last Updated: 2015-01-21 18:07:57 UTC
by Johannes Ullrich (Version: 1)
9 comment(s)

The "Angler" exploit kit is a tool frequently used in drive-by download attacks to probe the browser for different vulnerabilities, and then exploit them to install malware. The exploit kit is very flexible and new exploits are added to it constantly.

However, the blog post below shows how this exploit kit is currently using an unpatched Flash 0-day to install malware. Current versions of Windows (e.g. Window 8 + IE 10) appear to be vulnerable. Windows 8.1, or Google Chrome do not appear to be vulnerable.

This is still a developing story, but typically we see these exploits more in targeted attacks, not in widely used exploit kits. This flaw could affect a large number of users very quickly. Please refer to the original blog for details.

[1] http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html

Johannes B. Ullrich, Ph.D.

9 comment(s)


- http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html
Update: "... tested it against the free version of Malwarebytes Anti Exploit* (a product from one of my customers). That stopped it. Well done!..."
* https://www.malwarebytes.org/antiexploit/

I think people could probably try to configure a custom 'out of date activex blocking'policy xml, and distribute it via gpo and or logon scripts and or sccm <insert distro policy> (add flash entries to the xml, disable ms source upstate dl for it as per kb, distribute xml as per kb(unintended use) , enjoy flash for your intranet and trusted sites, while working on a package to revert it when desired )

https://technet.microsoft.com/en-us/library/dn761713.aspx https://iecvlist.microsoft.com/ie11blocklist/1401746408/versionlist.xml

It's sleep time here, but anyone else want to take a stab?
- http://blog.trendmicro.com/trendlabs-security-intelligence/flash-greets-2015-with-new-zero-day/
Jan 22, 2015 - "... Chrome’s version of the Flash Player plugin is sandboxed, mitigating potential effects to end users. Firefox is also immune to this threat..."

Geographic distribution of users affected by Angler
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/01/Geographic-Distribution-of-Users-Affected-by-Angler-01.jpg
Ps Hopefully the day 1s in EKs and this 0 day will push ms to add flash to that xml list out of the box ASAP. Not to say 0day EK exploits are the use case for ms

Presumably the chrome pepper flash plugin is harder to exploit (and is possibly partially sandboxed, and if I recall correctly auto updates without chrome having to necessarily)
Too quick pctech:) re pepper flash in chrome
Ppps if anyone wants to try the custom xml policy stuff, keep in mind you should in parallel be looking at managing ie and trusted sites via GPO(hopefully as part of the ie10 or 11 scm3 baseline and not using legacy and horrid ieak)
while on the subject of plugins and plugin management - complementary plug for

http://www.chromium.org/administrators/policy-list-3 | DefaultPluginsSetting=3 (click to play) | PluginsAllowedForUrls

>if I recall correctly [chome] auto updates [the flash plugin] without chrome having to necessarily

to correct myself, that's probably incorrect (chrome sys update, not just the flash plugin itself)

in any case I digress, given >Chrome’s version of the Flash Player plugin is sandboxed, mitigating potential effects to end users.
Adobe have released another update for the Free Adobe Flash Player - v16.0.0.287.

The relevant Adobe bulletin can be found at:
h t t p://helpx.adobe.com/security/products/flash-player/apsb15-02.html

I have just updated my main Windows 7 SP1 x64 build laptop today and will run a few tests to see if I get any issues.
Kafeine reports EMET 5.1 blocked the exploit in a superficial, single configuration test:

Windows 8.1 32bits, Internet Explorer 11, Flash

EMET detected StackPivot mitigation and will close the application: iexplore.exe

Diary Archives