Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: YAFP (Yet Another Flash Patch) - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
YAFP (Yet Another Flash Patch)

Adobe issued a security advisory yesterday about a critical vulnerability (CVE-2016-1019) in Adobe Flash Player 21.0.0.197 and earlier. The vulnerability affects all OSes (Windows, Mac, Linux and Chrome OS).

As Adobe says, it “could cause a crash and potentially allow an attacker to take control of the affected system”. Well, strike that “potentially” since it is being actively exploited in the wild.
The good news is that the current version of Flash Player (21.0.0.182) at the moment prevents exploitation of the vulnerability (at least with exploits that are currently circulating).

In any case, Adobe should release the patch tomorrow (7.4.) so patch as soon as you can to be sure that the vulnerability has been completely mitigated (and of course, use an addon such as NoScript).

Adobe offers a handy web page to check which version you have currently installed at http://www.adobe.com/software/flash/about/, while the original advisory is available at https://helpx.adobe.com/security/products/flash-player/apsa16-01.html

--
Bojan
@bojanz
INFIGO IS

Bojan

358 Posts
ISC Handler
My Citrix servers have version 21.0.0.197, which I thought was the latest.
Anonymous

Posts
I am still toying with the idea of deploying EMET and every time I see one of these, I wonder if EMET protects against the exploit. Does anybody test for this to confirm that EMET blocks the exploit?
Anonymous

Posts
Quoting Anonymous:My Citrix servers have version 21.0.0.197, which I thought was the latest.


According to Adobe's test page (link in the diary), 21.0.0.197 appears to be the latest version for some browsers, so that's probably what you're seeing - I should have made this more clear.
In any case, from what I can tell, all version are vulnerable, but the exploit does not work against the latest two versions (for now).
Bojan

358 Posts Posts
ISC Handler
Quoting Anonymous:I am still toying with the idea of deploying EMET and every time I see one of these, I wonder if EMET protects against the exploit. Does anybody test for this to confirm that EMET blocks the exploit?


Crossed my mind many times as well, but haven't played with it.
I think this would be a great test to see if EMET blocks the exploit - hope we get some good news from our readers :)
Bojan

358 Posts Posts
ISC Handler
We deployed EMET organization wide last year and with the latest version (5.5) we have not had any issues. I can tell you in a lab environment it has blocked several flash exploits. As with any security countermeasure you should have another layer so this along with your other protections is a nice addition.
Anonymous

Posts
I'm one week away from no more flash in IE. Just one GPO. Thank God the business doesn't need it for anything. So happy to get rid of it..
TuggDougins

33 Posts Posts
Would EMET work in a defender / pentesters toolkit, it does generate event log entries that can be collected centrally.

hxxps://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262
"EMET will log this as an error message (EventID 2) and may, if configured to do so, display a pop-up notification to the end user. EMET however, does not have a centralized management console and a third-party log management solution should be used to collect these events."

EMET 5.5 user guide hxxps://www.microsoft.com/en-us/download/confirmation.aspx?id=50802 also describes the option for configuring local telemetry:
For troubleshooting purposes, we have added a “Local Telemetry” mode. When this mode is enabled, the information that would be sent through the “Early Warning” will be saved locally instead in a user-defined folder.
To enable this mode, users need to create two entries in the registry hive HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET:
 LocalTelemetryPath (string): path where to save the information (i.e. c:\emet_local_telemetry)
Optionally, you can create the following registry key to control what kind of MiniDump file to create:
 MiniDumpFlags (DWORD): 0x1ff (default value)
More information on the possible flags are available at MSDN article hxxps://msdn.microsoft.com/library/windows/desktop/ms680519(v=vs.85).aspx.

OK, zooming back out. Balancing the level of details in security work is HARD.
dotBATman

59 Posts Posts
CVE-2016-1019 is not the only vulnerability fixed in the current flash update: the [un]installers of previous versions load a bunch of Windows system DLLs from their application directory instead of the Windows system directory, see CVE-2016-1014
This weakness and bloody beginner's error is well-known as https://cwe.mitre.org/data/definitions/426.html, https://cwe.mitre.org/data/definitions/427.html and https://capec.mitre.org/data/definitions/471.html
Anonymous

Posts
Did Microsoft update Flash? I do not see anything new after MS16-036.
Are waiting for (to be bundled in, let it fester until) the upcoming
patch Tuesday?
Paul Szabo

13 Posts Posts
Microsoft did update Adobe Flash Player.
See: https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+Summary+for+April+2016/20935/
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!