Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Flash 0-Day Exploit Used by Angler Exploit Kit - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Flash 0-Day Exploit Used by Angler Exploit Kit

The "Angler" exploit kit is a tool frequently used in drive-by download attacks to probe the browser for different vulnerabilities, and then exploit them to install malware. The exploit kit is very flexible and new exploits are added to it constantly.

However, the blog post below shows how this exploit kit is currently using an unpatched Flash 0-day to install malware. Current versions of Windows (e.g. Window 8 + IE 10) appear to be vulnerable. Windows 8.1, or Google Chrome do not appear to be vulnerable.

This is still a developing story, but typically we see these exploits more in targeted attacks, not in widely used exploit kits. This flaw could affect a large number of users very quickly. Please refer to the original blog for details.

[1] http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Intrusion Detection In-Depth - SANS London July 2019

Johannes

3563 Posts
ISC Handler
- http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html
Update: "... tested it against the free version of Malwarebytes Anti Exploit* (a product from one of my customers). That stopped it. Well done!..."
* https://www.malwarebytes.org/antiexploit/

.
PC.Tech

34 Posts
I think people could probably try to configure a custom 'out of date activex blocking'policy xml, and distribute it via gpo and or logon scripts and or sccm <insert distro policy> (add flash entries to the xml, disable ms source upstate dl for it as per kb, distribute xml as per kb(unintended use) , enjoy flash for your intranet and trusted sites, while working on a package to revert it when desired )

https://technet.microsoft.com/en-us/library/dn761713.aspx https://iecvlist.microsoft.com/ie11blocklist/1401746408/versionlist.xml

It's sleep time here, but anyone else want to take a stab?
Mallory Bobalice

28 Posts
- http://blog.trendmicro.com/trendlabs-security-intelligence/flash-greets-2015-with-new-zero-day/
Jan 22, 2015 - "... Chrome’s version of the Flash Player plugin is sandboxed, mitigating potential effects to end users. Firefox is also immune to this threat..."

Geographic distribution of users affected by Angler
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/01/Geographic-Distribution-of-Users-Affected-by-Angler-01.jpg
.
PC.Tech

34 Posts
Ps Hopefully the day 1s in EKs and this 0 day will push ms to add flash to that xml list out of the box ASAP. Not to say 0day EK exploits are the use case for ms

Pps
Presumably the chrome pepper flash plugin is harder to exploit (and is possibly partially sandboxed, and if I recall correctly auto updates without chrome having to necessarily)
Mallory Bobalice

28 Posts
Too quick pctech:) re pepper flash in chrome
Mallory Bobalice

28 Posts
Ppps if anyone wants to try the custom xml policy stuff, keep in mind you should in parallel be looking at managing ie and trusted sites via GPO(hopefully as part of the ie10 or 11 scm3 baseline and not using legacy and horrid ieak)
Mallory Bobalice

28 Posts
while on the subject of plugins and plugin management - complementary plug for

http://www.chromium.org/administrators/policy-list-3 | DefaultPluginsSetting=3 (click to play) | PluginsAllowedForUrls


>if I recall correctly [chome] auto updates [the flash plugin] without chrome having to necessarily

to correct myself, that's probably incorrect (chrome sys update, not just the flash plugin itself)
https://support.google.com/chrome/answer/108086?hl=en


in any case I digress, given >Chrome’s version of the Flash Player plugin is sandboxed, mitigating potential effects to end users.
Mallory Bobalice

28 Posts
Adobe have released another update for the Free Adobe Flash Player - v16.0.0.287.

The relevant Adobe bulletin can be found at:
h t t p://helpx.adobe.com/security/products/flash-player/apsb15-02.html

I have just updated my main Windows 7 SP1 x64 build laptop today and will run a few tests to see if I get any issues.
MalcolmP

4 Posts
Kafeine reports EMET 5.1 blocked the exploit in a superficial, single configuration test:

Windows 8.1 32bits, Internet Explorer 11, Flash 16.0.0.257

EMET detected StackPivot mitigation and will close the application: iexplore.exe
Starlight

34 Posts

Sign Up for Free or Log In to start participating in the conversation!